Tag: Consumer Protection

One-Two Punch: Businesses Must Fight the Virus and Possible Liability Claims

After several weeks in lockdown and thousands of business closures in an attempt to control the spread of the novel coronavirus, businesses are finally reopening their doors. Given the high transmission of COVID-19, businesses should consider their risks of legal liability to visitors on their property – customers, employees and others – in the event of COVID-19 exposure at their premises.  But the fear of civil liability remains a hindering problem. These claims will most commonly be pursued under the legal theory of negligence and plaintiffs may seeking financial compensation for their injuries and medical treatment related to COVID-19. Plaintiff’s lawyers in these cases will focus on the operations and procedures in place during the reopening. Some businesses are taking extraordinary measures to protect customers, while others are doing the bare minimum. Businesses need to know how to be in compliance with best safety practices to prevent and defend against claims related to an alleged failure to protect customers from COVID-19 exposures.

Immunity for Businesses for COVID-19 Exposure?

A large number of states, including Massachusetts, have enacted laws to shield health care workers, health care facilities and volunteer organizations treating COVID-19 patients from negligence claims subject to certain exceptions. However, the immunity does not extend to cover damages caused by gross negligence or recklessness. It is important to note that these states have not provided similar immunity to other businesses, nor have they limited liability in cases involving gross negligence for COVID-19 related claims. There have been discussions of additional legislation to protect businesses in these cases, but this has yet to happen.

Tort Claims and Premises Liability Law in Massachusetts

Personal injury claims typically stem from negligent acts, where a party had a duty of care, failed to reasonably care for that individual, and that failure to care caused the individual harm or injury. A ”duty of care” exists when its reasonably foreseeable that some act or omission would cause some type of knowable harm, and thus taking reasonable action to ensure safety. The breach of that duty is the act or omission that causes the harm. The breach of duty must cause some damages. Damages are monetary compensation for the victim’s injuries and losses if liability is found.

Premises liability law, a subset of personal injury law, similarly holds that property owners owe a duty of reasonable care to visitors on their premises in Massachusetts, so as to not create or allow unsafe or hazardous conditions to exist on their premises that could cause injury or harm to patrons and guests. If a hazardous condition exists that could reasonably cause harm, and the property owner fails to remove it or warn of it, this could ultimately result in liability.

The duty of care is stricter for business owners, as they invite persons onto their property to purchase goods or services. The level of care owed depends upon the type of visitor on the property. Massachusetts has two types of lawfully present visitors: 1) licensees- individuals presenting financial gain for the property owner like patrons, diners, shoppers; and 2) invitees- those who are not providing any financial gain to the property owner like guests and friends at a social gathering. The property owner owes its visitors a duty of care, that is to keep the property reasonably safe. In this context, the property owner is well aware of the risks associated with COVID-19, the nature of the disease and how it is transmitted. If it did not take reasonable steps to prevent the transmission of the virus to its licensees and invitees, and the claimant can prove the business’ failure to exercise reasonable care was a “substantial contributing factor” in causing the claimant’s injury, they may be entitled to damages, which can include among other things, medical expenses, economic damages, and even emotional distress.

Breach of Duty

There is an abundance of guidance available to businesses on the virus, transmission, preventative measures. Whether a business “breached” their duty of care will focus on what the business did to determine if taking action (or taking no action) was reasonable or not, given the state of knowledge on the virus. Thus, claimants would need to point to what steps the businesses took to protect its licensees and invitees, and whether there were additional procedures that could have been implemented to prevent the transmission, and whether those additional actions were reasonable in light of what was known about the virus. Intentional ignorance is not a defense – property owners have a duty to investigate known or potential hazards, including COVID-19.

Causation

Claimants in tort claims have the burden of proving causation. This usually means proving that the breach of duty was a “substantial contributing factor” in causing the claimant’s injury. In COVID-19 cases, the claimant will ultimately need to prove that the virus was contracted at that business as opposed to another source, which may be extremely difficult to do. Asymptomatic spread of COVID-19 is one of many challenges to proving the initial source of exposure. While some claimants will rely on contact tracing, that alone does not rule out alternative sources of COVID-19 exposure – any other place the person visited (markets, homes, their workplace), and exposure to family members and friends.

Notably, a large number of states are enacting legislation applicable to workers compensation claims related to COVID-19. This legislation establishes a rebuttable presumption that an employee who tests positive for COVID-19 contracted it in the course of employment, although some are limited to essential workers. A “rebuttable presumption” means that the burden of disproving causation is thrust upon the employer. While there are no similar rebuttable presumptions for personal injury and premise liability claimants at this time, it is an open question as to whether these presumptions can be used affirmatively in tort lawsuits, particularly in a situation where a worker brings COVID-19 into the home and sickens a family member or housemate.

Mitigating Liability

If businesses can show that safety protocols were followed, this evidence can be used to defend these types of claims. The Centers for Disease Control and Prevention (CDC) has set guidelines that should be followed as best practices to avoid COVID-19 liability claims. There is an abundance of state and local guidance on social distancing, use of masks and other measures to prevent the spread of the virus. With the vast amount of information available to the public on the risks of the virus and preventative measures, claimants will argue that businesses have enough information to safely operate Crafty plaintiff’s lawyers will likely seek out and find guidance that specifically supports their clients case. Business owners are advised to do the same for their respective industries, whether it be restaurants, offices or youth sports leagues.

Defenses to Consider in Defending COVID 19 Liability Claims

Statute of Limitations

The statute of limitations for in Massachusetts governing personal injury and premises liability cases places a time limit of three years within the date of the incident for filing the lawsuit. Lawsuits filed after the statute of limitations period may be dismissed as “time-barred.” Other states have similar statutes, although the specific timeframe may vary.

Modified Comparative Negligence Law

Some states, including Massachusetts, use a modified comparative negligence rule in personal injury cases, allowing plaintiffs to recover only if the defendant’s share of the blame was equal to or greater than their own. There are only a few exceptions allowing plaintiffs to recover if they were more than 51% at fault. Another important factor of this rule to consider is that if plaintiffs are found to be at fault, their damages are reduced by their allocated share of the blame. Did the visitor where a mask? Did they stay 6 feet apart from other individuals? Did they wash their hands and sanitize frequently? Were they placing their hands on their mouth and nose? These facts and circumstances are critical factors to consider when shifting the blame to the claimant.

Assumption of Risk Abolished in Massachusetts

Some jurisdictions allow a defendant in a personal injury action to raise an affirmative defense of assumption of risk, but that is abolished in Massachusetts as a defense in personal injury cases. In jurisdictions where this defense is allowed, instead of denying the allegations, defendants can assert that a plaintiff was aware of the risk when engaging in the activity or conduct, fully had knowledge of the consequences and willingly disregarded the risks or assumed the risks. Therefore, the defendant cannot be at fault for negligence and this serves as a complete bar to recovery.

Liability Waivers

Did a plaintiff sign a written liability waiver acknowledging and accepting risks? Enforceability of liability waivers as well as the exceptions to the enforceability of releases vary from state to state. While this only shows licensees and invitees were made aware of the risk, using such waivers in these COVID 19 claims is not a slam dunk defense.

Conclusion

We encourage businesses to consider these liability risks when resuming operations and to follow comprehensive procedures and CDC guidelines to mitigate the risks and protect licensees and invitees from the spread of the virus at these establishments. Our office can help businesses develop a plan specific to their business to mitigate the risks of liability from emerging claims related to COVID 19 and provide guidance and advocacy for defending such claims.

©2020 CMBG3 Law, LLC. All rights reserved.

ARTICLE BY Seta Accaoui at CMBG3 Law.
For more on business COVID-19 liability, see the National Law Review Coronavirus News section.

Clash of Consumer Protection Goals: Does the Text of the TCPA Frustrate the Purposes of the CPSA?

“Hello.  This is an automated call from Acme Manufacturing. Our records indicate that you purchased Product X between December 2019 and January 2020. We wanted to let you know that we are recalling Product X because of a potential fire risk. Please call us or visit our website for important information on how to participate in this recall.”

When companies recall products, they do so to protect consumers.  In fact, various federal laws, including the Consumer Product Safety Act (CPSA), the Federal Food, Drug, and Cosmetic Act (FDCA), and National Highway and Motor Vehicle Safety Act (MVSA), encourage (and may require) recalls. And the agencies that enforce these statutes would likely approve of the hypothetical automated call above because direct notification is the best way to motivate consumer responses to recalls.[1]

But automated calls to protect consumers can run into a problem: the Telephone Consumer Protection Act (TCPA).

Are Recall Calls a Nuisance or an Emergency?

The TCPA seeks to protect consumers from the “nuisance and privacy invasion” of unwanted automated marketing calls.[2] The TCPA prohibits any person from making marketing calls to landlines, or any non-emergency calls or text messages[3] to wireless lines, using automated dialers or recorded messages unless the recipient has given prior written consent. The Act includes a private right of action and statutory per-violation damages – $500, trebled to $1,500 if a court finds the violation willful and knowing.[4] These penalties can add up quickly: In one case, a jury found that a company violated the TCPA nearly two million times, exposing the company to minimum statutory damages totaling almost $1,000,000,000.[5]

There is an important exception to the TCPA’s prohibition on automated calls. The TCPA allows autodialed calls for emergency purposes,[6] but the Act does not define that phrase. While the FCC has interpreted emergency purposes to mean “calls made necessary in any situation affecting the health and safety of consumers,”[7] recalls are not explicitly identified within this definition. As a result, aggressive plaintiffs have demanded millions in damages from companies that use automatic dialers to disseminate recall messages.[8]

For example, a grocery chain – Kroger – made automated calls to some purchasers of ground beef as part of a recall stemming from salmonella concerns. A plaintiff responded with a purported class action that did not mention the recall [9] but was based on consumers alleging that they had received “annoying” “automated call[s] from Kroger.”

Moving to dismiss, Kroger observed that the plaintiff – who had not listened to the call beyond its initial greeting[10] and thus could not comment on the call’s text – had “cherry-picked”[11] portions of consumers’ online comments to support the case, omitting text that clearly demonstrated that the calls were made for health and safety purposes.[12] Kroger argued that the online comments did not support the plaintiff’s allegations that Kroger had made any marketing calls.

The court granted Kroger’s motion and dismissed the complaint without leave to amend. Even so, Kroger was compelled to spend time and money defending the claim.

In light of this type of lawsuit, one communications firm involved in automotive recalls has petitioned the FCC to “clarify . . . that motor vehicle safety recall-related calls and texts are ‘made for emergency purposes.’”[13] The Association of Global Automakers and the Alliance of Automobile Manufacturers commented in support of the petition, arguing that the “[l]ack of clarity regarding TCPA liability for vehicle safety recall messages has had a chilling effect on these important communications.”[14] The Settlement Special Administrator for the Takata airbag settlements also wrote in support, commenting that automated “recall-related calls and texts serve an easily recognizable public safety purpose.”[15]

The TCPA’s emergency exception offers protection in litigation. The FCC’s definition – “calls made necessary in any situation affecting the health and safety of consumers” – neatly encapsulates the entire function of a recall, namely acting to protect consumers’ health and safety. Moreover, in developing the emergency exception, Congress broadened initial language that excepted calls made by a “public school or other governmental entity” to the enacted “emergency purposes” phrasing precisely to ensure the exception encompassed automated emergency calls by private entities.[16] One of the seminal emergency purposes for which a private entity might seek to make automated calls is a product recall.

Even with such sound arguments that TCPA claims related to recall calls are without merit within the statute, however, aggressive plaintiffs have brought such claims. These efforts compel companies to spend finite resources defending claims that should not be brought in the first place. An express statutory or regulatory statement that recalls are squarely within the definition of emergency purposes would give companies greater confidence that not only would they be able to successfully defend against any effort to pit the TCPA against consumer-protection values, but that the claims are so unlikely to be brought that the companies need not even fear to have to defend.

Protecting Against Recall-Call Complaints

Until the FCC or Congress expressly instructs plaintiff’s counsel not to try to litigate against automated recall calls, there are steps companies that want to use automated dialers to drive recall responses can take to minimize any risk of a court misinterpreting their calls or finding TCPA liability where it should not attach.

For example, companies may (as some already do) ask for customers’ consent to be autodialed in connection with the products they have purchased – e.g., by including consent language on product warranty cards or registration forms. In fact, the Consumer Product Safety Improvement Act of 2008 (CPSIA)[17] already requires manufacturers of durable infant and toddler products to include registration cards for recall-communication purposes.[18] Companies in some other industries (like the on- and off-road motor vehicle industries) typically have robust registration systems that can incorporate auto dialing consent, and more companies in other spaces may want to consider using registration to facilitate recalls.

Further, automated recall calls should focus on the recall. If calls extend to marketing messaging, that could undermine both a future TCPA defense and the efficacy of that and future recall communications.

Optimally, companies would be less likely to need these defenses if the statute more clearly signaled to would-be litigants that they should not even bother. If the FCC grants the pending petition and plainly states that product recalls are emergencies for TCPA purposes, courts’ deference to agency interpretations might deter at least some complaints. A statutory amendment would be the surest guarantee, though, and manufacturers may wish to ask Congress to amend the TCPA to clarify that recall messages are emergency messages.

[1] See, e.g., Joseph F. Williams, U.S. Consumer Prod. Safety Comm’n, Recall Effectiveness Workshop Report, 5 (Feb. 22, 2018).

[2] Pub. L. No. 102-243, § 2(12), 105 Stat. 2394, 2395 (Dec. 20, 1991).

[3] Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, 18 FCC Rcd 14014, 14115, para. 165 (2003)

[4] TCPA at § 3(a), 105 Stat. at 2399 (codified at 47 U.S.C. § 227(c)(5)).

[5] Wakefield v. ViSalus, Inc., No. 3:15-cv-1857-SI (D. Or.).

[6] See, e.g., TCPA at § 3(a), 105 Stat. at 2395-96 (codified at 47 U.S.C. § 227(b)(1)(A)).

[7] 47 C.F.R. § 64.1200(f)(4).

[8] See, e.g., Compl., Ibrahim v. Am. Honda Motor Co., Inc., No. 1:16-cv-04294, Dkt. #1 (N.D. Ill. Apr. 14, 2016).

[9] Compl., Brooks v. Kroger Co., No. 3:19-cv-00106-AJB-MDD, Dkt. #1 (S.D. Cal. Jan. 15, 2019) (“Brooks”).

[10] Pl. Opp. to Mot. to Dismiss at 5, Brooks, Dkt. #9 (Apr. 4, 2019).

[11] Reply in Supp. of Mot. to Dismiss at 7, Brooks, Dkt. #10 (Apr. 11, 2019).

[12] The plaintiff quoted one complaint as “Automated call from Kroger.” Compl. at 3-4, Brooks. As the defense noted, that complaint continued, “requesting that you return ground beef . . . due to the threat of salmonella.” Mem. in Supp. of Mot. to Dismiss at 6, Brooks Dkt. #7 (Mar. 21, 2019).

[13] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Petition, ii (Sept. 21, 2018).

[14] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Association of Global Automakers, Inc. and Alliance of Automobile Manufacturers, 9 (Nov. 5, 2018).

[15] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Patrick A. Juneau, 3 (Nov. 5, 2018).

[16] S. Rep. No. 102-178, 5 (Oct. 8, 1991).

[17] Pub. L. No. 110-314, 122 Stat. 3016 (Aug. 14, 2008) (codified as amended at 15 U.S.C. § 2056a).

[18] 15 U.S.C. § 2056a(d).

© 2020 Schiff Hardin LLP

For more on CPSA, FDCA, MVSA & other recalls, see the National Law Review Consumer Protection law section.

Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.

©2011-2020 Carlton Fields, P.A.

For more on new and developing legislation in Florida and elsewhere, see the National Law Review Election Law & Legislative News section.

FDA Issues Warning Letters, Cautions Consumers on Unapproved CBD Products

Nearly a year after the 2018 Farm Bill legalized hemp nationwide, the legal status of one of its most popular products, cannabidiol (CBD), is becoming clearer.

On Nov. 25, the U.S. Food and Drug Administration (FDA) issued a revised consumer update regarding unapproved CBD products and issued a new round of warning letters to CBD retailers selling products in violation of the Food, Drug and Cosmetics Act (FDCA). The agency also warned of potential health risks and safety concerns associated with numerous unapproved CBD products. The FDA publicized its determination that CBD cannot be considered as Generally Recognized as Safe (GRAS) under federal law, foreclosing one of the regulatory paths available to the FDA for allowing CBD as a food ingredient.

These recent actions underscore the FDA’s interpretation that food products, unapproved drugs, dietary supplements and cosmetics containing CBD sold in interstate commerce often violate the FDCA.

FDA warning letters

In this recent round of enforcement efforts, the FDA issued fifteen warning letters to CBD companies selling a variety of products in interstate commerce, including balms, capsules, oils, tinctures, lotions, gummies, chews and sprays that were marketed for use by adults, children and animals.

The letters outline the FDA’s legal analysis which concludes that the products at issue were marketed in interstate commerce as unapproved new drugs, misbranded drugs, adulterated foods or improperly labeled as dietary supplements in violation of the FDCA. The crux of this analysis is that CBD is an active ingredient in an approved drug as well as other drugs under clinical investigation.

These products triggered FDCA violations in a variety of ways:

  • Unapproved new drugs – CBD products making claims to prevent, diagnose, mitigate, treat or cure serious diseases, such as cancer, AIDS, schizophrenia and diabetes.
  • Misbranded drugs – CBD products marketed as drugs that also fail to bear adequate directions for use.
  • Dietary supplement labeling – Improperly using the label “dietary supplement” when it does not meet the definition under the FDCA.
  • Adulterated human food – CBD products marketed as conventional human foods and contain a drug approved by the FDA.

Each warning letter identified an “unapproved new drug” violation with products making aggressive health claims surrounding cancer or other similar serious conditions, suggesting the FDA continues to focus its efforts at “egregious, over-the-line” health claims as referenced by former FDA Commissioner Scott Gottlieb.

FDA consumer update

The FDA simultaneously issued a consumer update, signaling that unapproved CBD products remain prohibited under the FDCA. The agency noted it has seen only limited data about CBD safety and that some of the data points to risks that should be considered before taking CBD.

The FDA warned that unapproved CBD products may pose safety risks and make unproven health claims. The FDA fears consumers may put off getting proper diagnosis, treatment or supportive care due to unsubstantiated claims associated with CBD products.

Additionally, the FDA noted the information it currently has “underscores the need for further study and high quality, scientific information about the safety and potential uses of CBD.” The consumer update further notes:

  • No FDA evaluation of CBD products – There has been no FDA evaluation of whether unapproved CBD products are effective for their intended use, what the proper dosage might be, how they could interact with FDA-approved drugs or whether they have dangerous side effects or other safety concerns.
  • Potential health risks – Specifically, the FDA also identified some of the potential risks associated with using CBD products, including liver injury and male reproductive toxicity. Other potential health risks remain unknown to date, including the effects of sustained daily usage by adults as well as the effects on children, breastfed newborns and developing fetuses.
  • Side effects – Other side effects include drowsiness, gastrointestinal distress and increased irritability and agitation.
  • Unregulated manufacturing process and product safety is unknown – The manufacturing process of unapproved CBD drug products has not been subject to FDA review and the effects of CBD containing potentially unsafe levels of contaminants, such as pesticides and heavy metals, are unknown.

CBD remains a legal product

Despite this recent action from the FDA, hemp-derived CBD remains a legal product under federal law, but it must be marketed without violating the FDCA. Additionally, the warning letters and consumer update highlight that the FDA is targeting its enforcement to companies engaged in interstate commerce and making egregious, unsubstantiated health claims.

As is the case with other cannabis issues, the disconnect between state and federal law means companies are finding ways to bring products to market while limiting their risk. However, stakeholders must be aware of the risks under state and federal law when marketing any product containing CBD.

Expect more information from the FDA soon

The consumer update also notes that the FDA is “evaluating the regulatory frameworks that apply to certain cannabis-derived products that are intended for non-drug uses, including whether and/or how the FDA might consider updating its regulations, as well as whether potential legislation might be appropriate.” More information will be coming soon from the FDA, but it may be awhile before CBD can be marketed legally as a food ingredient or dietary supplement under federal law.

Copyright © 2019 Godfrey & Kahn S.C.

More on FDA CBD Regulation via the National Law Review Biotech, Food & Drug law page.

CPSC Staff Addresses IoT 2018 Hearing Feedback, IoT Project Plans in New Report

Connected products can make the world a safer place: electronic sensors in the home can detect problems and send smartphone notifications to the homeowner; smart alert devices can notify family members or home help companies that an elderly person has fallen and needs assistance. But with over 64 billion connected products in the marketplace, there is a concern that connected devices could introduce hazards that might lead to a risk of injury due to problems with software updates or customization, faulty connections, and even consumer modifications.

As the body charged with overseeing consumer product safety in the U.S., over the last few years, the Consumer Product Safety Commission (CPSC) has shown an increasing interest in defining its role with regard to connected products. In May 2018, the CPSC held a public hearing on IoT, obtaining feedback from a range of stakeholders on potential risks of connected consumer products and the agency’s role. In late September, CPSC staff submitted to the Commission a status report outlining the CPSC’s work on consumer product IoT issues since the public hearing. The report also outlines how CPSC staff understands the agency’s role, which is safeguarding consumers from potential physical product risks, as well as how its work intersects with the jurisdiction of other agencies as they oversee connected products.

The report notes that this is an ongoing process, stating that CPSC staff is working on “how to define consumer product safety in terms of the IoT, the intersection of, and interdependencies among, consumer product safety, data security and privacy, and how our traditional risk management approaches apply to connected products.” The report acknowledges that privacy and data security are not within CPSC’s jurisdiction, but noted that at least one participant in CPSC’s 2018 hearing warned that “CPSC should pay attention to certain cybersecurity threats that create opportunities for physical harm, a risk not previously considered, and resist creating any prescriptive rules for IoT devices.”

To increase institutional knowledge of IoT benefits and challenges, CPSC has dedicated resources to develop its staff’s expertise. CPSC has also participated in developing voluntary standards, has taken a leadership role in establishing an interagency IoT working group, and has been developing its capability to simulate home networks at its laboratory.

The staff report outlines three ongoing internal projects relating to IoT. The first involves developing a methodology for assessing safety-related implications arising out of software and firmware updates to connected products. This project is at what CPSC views as the intersection of product safety and data security and potential “hazardization” of connected products as a result of data vulnerabilities. CPSC is also looking at connected heating appliances and the risks associated with their remote activation. Finally, CPSC is studying smart toys “in an effort to identify physical safety hazards.” It is surprising that CPSC staff would dedicate resources to toys as opposed to other products, like in-home safety devices, since the physical safety of toys is strictly regulated by the mandatory toy safety standard, ASTM F-963. The likelihood of physical hazardization of toys is far lower than, for example, connected home security devices and sensors. In those categories, connectivity, and thus security breaches that affect the operation of those devices, may be directly related to both safety risks and advantages. Indeed, home safety devices is a category where we have actually seen CPSC recall activity.

The report notes that CSPC is engaging in product safety assessments of connected& shared e-scooters. This is likely in response to reports of e-scooters that were vulnerable to hacking. The emerging hazards of micro-mobility devices such as shared e-scooters are also a focus of CPSC’s Operating Plan for Fiscal Year 2020 and represent another product category that appears to be more vulnerable to hazardization than connected toys.

CPSC staff intended to develop a best practices guide for industry and consumers on connected products, which was an enumerated project in the proposed Operating Plan for Fiscal Year 2020. However, an amendment introduced by Commissioner Feldman focuses CPSC’s resources on IoT intergovernmental work instead. Given the report’s acknowledgment that the agency is still working to develop staff expertise in IoT, attempting to create such a guide appears premature at this juncture.

The sharp increase in the number of connected devices in the market means it is necessary and appropriate for CPSC to continue to build expertise on IoT issues, even though very few examples of actual product safety hazards attributable to some type of connectivity failures exist. It would be useful for CPSC to focus its efforts and resources on product categories that pose a higher potential risk to the physical safety of consumers through hazardization or failure as a result of connectivity, without overstating potential risks. It is encouraging that through the intergovernmental initiatives a variety of federal agencies are working collaboratively to better understand the various consumer protection issues potentially raised by connected products that fit within their respective jurisdictions.

© 2019 Keller and Heckman LLP

For more CSPC regulation, see the National Law Review Consumer Protection law page.

CCPA Alert: California Attorney General Releases Draft Regulations

On October 10, 2019, the California Attorney General released the highly anticipated draft regulations for the California Consumer Privacy Act (CCPA). The regulations focus heavily on three main areas: 1) notices to consumers, 2) consumer requests and 3) verification requirements. While the regulations focus heavily on these three topics, they also discuss special rules for minors, non-discrimination standards and other aspects of the CCPA. Despite high hopes, the regulations do not provide the clarity many companies desired. Instead, the regulations layer on new requirements while sprinkling in further ambiguities.

The most surprising new requirements proposed in the regulations include:

  • New disclosure requirements for businesses that collect personal information from more than 4,000,000 consumers
  • Businesses must acknowledge the receipt of consumer requests within 10 days
  • Businesses must honor “Do Not Sell” requests within 15 days and inform any third parties who received the personal information of the request within 90 days
  • Businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection

The following are additional highlights from each of the three main areas:

1. Notices to consumers

The regulations discuss four types of notices to consumers: notice at the time of collection, notice of the right to opt-out of the sale of personal information, notice of financial incentives and a privacy policy. All required notices must be:

  • Easy to read in plain, straightforward language
  • In a format that draws the consumer’s attention to the notice
  • Accessible to those with disabilities
  • Available in all languages in which the company regularly conducts business

The regulations make clear that it is necessary, but not sufficient, to update your privacy policy to be compliant with CCPA. You must also provide notice to consumers at the time of data collection, which must be visible and accessible before any personal information is collected. The regulations make clear that no personal information may be collected without proper notice. You may use your privacy policy as the notice at the time of collection, but you must link to a specific section of your privacy policy that provides the statutorily required notice.

The regulations specifically provide that for offline collection, businesses could provide a paper version of the notice or post prominent signage. Similar to General Data Protection Regulation (GDPR), a company may only use personal information for the purposes identified at the time of collection. Otherwise, the business must obtain explicit consent to use the personal information for a new purpose.

In addition to the privacy policy requirements in the statute itself, the regulations require more privacy policy disclosures. For example, the business must include instructions on how to verify a consumer request and how to exercise consumer rights through an agent. Further, the privacy policy must identify the following information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed. For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times. Given the additional nuances of the disclosure requirements, we recommend working with counsel to develop your privacy policy.

If a business provides financial incentives to a consumer for allowing the sale of their personal information, then the business must provide a notice of the financial incentive. The notice must include a description of the incentive, its material terms, instructions on how to opt-in to the incentive, how to withdraw from the incentive and an explanation of why the incentive is permitted by CCPA.

Finally, the regulations state that service providers that collect personal information on behalf of a business may not use that personal information for their own purposes. Instead, they are limited to performing only their obligations under the contract between the business and service provider. The contract between the parties must also include the provisions described in CCPA to ensure that the relationship is a service provider/business relationship, and not a sale of personal information between a business and third party.

2. Consumer requests

Businesses must provide at least two methods for consumers to submit requests (most commonly an online form and a toll-free number), and one of the methods must reflect the manner in which the business primarily interacts with the consumer. In addition, businesses that substantially interact with consumers offline must provide an offline method for consumers to exercise their right to opt-out, such as providing a paper form. The regulations specifically call out that in-person retailers may therefore need three methods: a paper form, an online form and a toll-free number.

The regulations do limit some consumer request rights by prohibiting the disclosure of Social Security numbers, driver’s license numbers, financial account numbers, medical-related identification numbers, passwords, and security questions and answers. Presumably, this is for two reasons: the individual should already know this information and most of these types of information are subject to exemptions from CCPA.

One of the most notable clarifications related to requests is that the 45-day timeline to respond to a consumer request includes any time required to verify the request. Additionally, the regulations introduce a new timeline requirement for consumer requests. Specifically, businesses must confirm receipt of a request within 10 days. Another new requirement is that businesses must respond to opt-out requests within 15 days and must inform all third parties to stop selling the consumer’s information within 90 days. Further, the regulations require that businesses maintain request records logs for 24 months.

3. Verification requirements

The most helpful guidance in the regulations relates to verification requests. The regulations provide that a more rigorous verification process should apply to more sensitive information. That is, businesses should not release sensitive information without being highly certain about the identity of the individual requesting the information. Businesses should, where possible, avoid collecting new personal information during the verification process and should instead rely on confirming information already in the business’ possession. Verification can be through a password-protected account provided that consumers re-authenticate themselves. For websites that provision accounts to users, requests must be made through that account. Matching two data points provided by the consumer with data points maintained by the business constitutes verification to a reasonable degree of certainty, and the matching of three data points constitutes a high degree of certainty.

The regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified. For example, if a business cannot verify the identity of a person making a request for access, then the business may proceed as if the consumer requested disclosure of only the categories of personal information, as opposed to the content of such personal information. If a business cannot verify a request for deletion, then the business should treat the request as one to opt-out of the sale of personal information.

Next steps

These draft regulations add new wrinkles, and some clarity, to what is required for CCPA compliance. As we move closer to January 1, 2020 companies should continue to focus on preparing compliant disclosures and notices, finalizing their privacy policies and establishing procedures to handle consumer requests. Despite the need to press forward on compliance, the regulations are open to initial public comment until December 6, 2019, with a promise to finalize the regulations in the spring of 2020. We expect further clarity as these draft regulations go through the comment process and privacy professionals, attorneys, businesses and other stakeholders weigh in on their clarity and reasonableness.

Copyright © 2019 Godfrey & Kahn S.C.

For more on CCPA implementation, see the National Law Review Consumer Protection law page.

The CCPA Is Approaching: What Businesses Need to Know about the Consumer Privacy Law

The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), will take effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.

While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.

Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.

Does the CCPA apply to my business?

Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.

The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:

  • Has annual gross revenues in excess of $25 million; or
  • Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information

While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.

What is considered “personal information” under the CCPA?

The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.

As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.

When does a business “collect” personal information under the CCPA?

To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.

To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.

If a business collects personal information but never sells any of it, does the CCPA still apply?

Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.

What new rights does the CCPA give to California consumers?

The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.

What new obligations does a business have regarding these new consumer rights?

Businesses that fall under the purview of the CCPA have a number of new obligations under the law:

  • A business must take certain steps to assist individual consumers with exercising their rights under the CCPA. This must be accomplished by providing a link on the business’s homepage titled “Do Not Sell My Personal Information” and a separate landing page for the same. In addition, a business must update its privacy policy (or policies), or a California-specific portion of the privacy policy, to include a separate link to the new “Do Not Sell My Personal Information” page.

A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.

  • Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
  • Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Specific pieces of personal information that the business possesses about the consumer;
    • Categories of sources from which the business received personal information about the consumer;
    • A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
    • The categories of third parties with whom the business has shared the consumer’s personal information.
  • Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Categories of personal information that the business has sold about the consumer;
    • Categories of third parties to whom the business has sold the consumer’s personal information; and
    • The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
  • Finally, a business must further update its privacy policy (or policies), or the California-specific section of such policy(s), to:
    • Identify all new rights afforded consumers by the CCPA;
    • Identify the categories of personal information that the business has collected in the preceding 12 months;
    • Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
    • Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
    • Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.

What about employee data gathered by employers for internal workplace purposes?

As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The bill awaits the governor’s signature – he has until October 13, 2019 to sign.

But not so fast – Bill AB 25 only creates a one-year reprieve for employers, rather than a permanent exception. The exceptions listed above will expire on January 1, 2021. By that time, the legislature may choose to extend the exceptions indefinitely, or businesses should be prepared to fully comply with the CCPA.

California employers would thus be wise to start considering the type of employee data they collect, and whether that information may eventually become subject to the CCPA’s requirements (either on January 1, 2021 or thereafter). Personal information is likely to be present in an employee’s job application, browsing history, and information related to payroll processing, to name a few areas. It also includes biometric data, such as fingerprints scanned for time-keeping purposes. Employers who collect employees’ biometric information, for example, would be well advised to review their biometric policies so that eventual compliance with the CCPA can be achieved gradually during this one-year grace period.

Notwithstanding this new legislation, there remains little clarity as to how the law will ultimately be applied in the employer-employee context, if and when the exceptions expire. Employers are encouraged to err on the side of caution and to reach out to experienced legal counsel for further guidance if they satisfy any one of the above thresholds.

What are the penalties for violation of the CCPA?

Violations of the CCPA are enforced by the California Attorney General’s office, which can issue civil monetary fines of up to $2,500 per violation, or $7,500 for each intentional violation. Currently, the California AG’s office must provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine.

Are there any exceptions to the CCPA?

Yes, there are a number of exceptions. First, the CCPA only applies to California consumers and businesses that meet the threshold(s) identified above. If a business operates or conducts a transaction wholly outside of California then the CCPA does not apply.

There are also certain enumerated exceptions to account for federal law, such that the CCPA is pre-empted by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act as it applies to personal information sold to or purchased from a credit reporting agency, and information subject to the Driver’s Privacy Protection Act.

Would it be fair to say that the CCPA is not very clear, and maybe even a bit confusing?

Yes, it would. The CCPA was drafted, debated, and enacted into law very quickly in the face of some legislative and ballot-driven pressures. As a result, the bill as enacted is a bit confusing and even contains sections that appear to contradict its other parts. The drafters of the CCPA, however, recognized this and have included provisions for the California AG’s office to provide further guidance on its intent and meaning. Amendment efforts also remain underway. As such, it is likely that the CCPA will be an evolving law for at least the short term.

Regardless, the CCPA will impose real-world requirements effective January 1, 2020, and the new wave of consumer privacy legislation it has inspired at the state and federal level is likely to bring even more of the same. It is important to address these issues now, rather than when it is too late.

© 2019 Much Shelist, P.C.

For more on the CCPA legislation, see the National Law Review Consumer Protection law page.

What are Consumers Claiming in Juul Lawsuits?

Within the past decade, regular tobacco users have turned to electronic cigarettes in an effort to wean off of traditional cigarettes, believing them to be a safer option for human health. E-cigarettes, also known as nicotine vaporizers, vaporizer cigarettes, or simply vape pens, have grown in popularity over the past several years, partially driven by the debut of Juul’s e-cig devices in 2015. Now, Juul Labs is a leading manufacturer of e-cigarette devices and e-liquid flavors nationwide. Despite its growing popularity, especially among teens and young adults, Juul has been at the center of several consumer legal battles, most of which allege that Juul’s e-cig devices are extremely detrimental to users’ health. Several suits have been filed by parents or guardians on behalf of teenage children.

Several consumers have accused Juul Labs of deliberately marketing its products to appeal to the younger generation. A lawsuit recently filed by the father of a Carmel, Indiana teen in the U.S. District Court in Indianapolis alleged that his son was enticed by the rainbow colors and fruity flavors of Juul’s e-cigarette products, which contained excessive levels of nicotine. The teen later developed an intense nicotine addiction and fears that his addiction may lead to health problems throughout his life.

Other suits have similarly claimed that Juul specifically targets underage markets with its presence on several social media platforms and use of online influencers to attract teen users.

This is not the first attack against Juul’s advertising practices. Stanford University researchers evaluated Juul’s marketing campaigns over its first three years on the market, and the resulting impact on teens and young adults, in a January 2019 study.

By analyzing Juul’s website, social media platforms, hashtags, and customer campaign emails, the researchers concluded that, “Juul’s advertising imagery in its first [six] months on the market was patently youth oriented.” Though Juul representatives have repeatedly denied that the company intentionally targets a younger generation in its marketing, the study revealed how Juul, “continued to engage in advertising either targeted to youth…or by placing its promotional material preferentially in youth consumed media channels…”

Juul lawsuits have also been filed in response to defective vape batteries and device explosions. Juul’s e-cigarette products are operated by lithium-ion batteries, which can allegedly overheat and explode. In several instances, vape explosions have damaged users’ mouths, hands, and other body parts, causing burns, broken jaws, and even deaths. Treacy Gangi, for example, filed a lawsuit in November 2017 on behalf of her husband who was killed by an exploding e-cigarette, similar to a Juul device.

Another lawsuit recently filed by an Ohio mother on behalf of her two teen daughters claimed that Juul failed to warn its customers of the high levels of nicotine in its devices. The complaint stated that the two twin daughters, who are now 16 years old, began vaping in 2016 and initially purchased the devices in a store that “knowingly sold e-cigarettes to underage customers.” The teens quickly became addicted to their e-cigarettes and were eventually vaping two Juul pods a day. According to the lawsuit, one Juul pod contains the same amount of nicotine as two packs of cigarettes.

Similar lawsuits have claimed that in addition to containing excessive levels of nicotine, Juul products are advertised as being a healthier alternative to traditional cigarettes. Recent cases, however, have shown that vaping Juul e-cigarettes is linked to a number of health conditions, including heart disease, lung damage, and seizures. The Centers for Disease Control and Prevention (CDC) is inspecting the recent hospitalizations of more than 149 individuals whose health problems are linked to vaping. The patients, who are predominantly teens and young adults, reportedly developed severe lung illnesses that have been associated with vaping.

According to recent cases, vaping also puts users at risk of experiencing seizures, which is a known symptom of nicotine poisoning. The FDA has received about 127 reports of seizures linked to vaping since 2010, and issued a warning about the potential correlation between vaping and seizures (convulsions) in April 2019.

Amid a lack of research and information on the health risks of using e-cigarettes, an Illinois patient was reportedly the first to die of a lung illness that was associated with vaping. Health experts say that more research needs to be done in order to understand the health implications of vaping, before other users face a similar fate.

Copyright © 2019 Katy Moncivais, Ph.D.

For more on vaping related litigation see the National Law Review Biotech, Food & Drug law page.

Sometimes You Feel Like a Nut

In a spit decision, the First Circuit reversed a dismissal of a putative class action in a Massachusetts consumer protection case. Dumond v. Reily Foods Co., No. 18-2055 (1st Cir. Aug. 8, 2019)

The defendant New England Coffee Company sells a “Hazelnut Crème” coffee. The plaintiff sued because the coffee contains no nut – it’s all coffee, no nut, only nut flavored. The district court dismissed the complaint without leave to amend on the basis that the complaint wasn’t sufficiently specific. After rejecting that ground for dismissal and also rejecting a preemption argument, the majority noted that the defendants argued as an alternative ground to support the dismissal that the factual allegations complaint failed to state a plausible claim, and that’s the part of the decision that interests us.

Whether the label was deceptive, Judge Kayatta, writing for himself and Judge Torruella, opined was a question of fact. While the label said it was “100% Arabica coffee” and listed no hazelnut as an ingredient, Judge Kayatta said that perhaps a reasonable factfinder could conclude the name of the product was sufficient, without having to read the “fine print,” “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”

Responding to the dissent, Judge Kayatta wrote:  “Our dissenting colleague [Judge Lynch] envisions a more erudite reader of labels, tipped off by the accent grave on the word “crème,” and armed perhaps with several dictionaries, a bit like a federal judge reading a statute. We are less confident that ‘common parlance’ would exhibit such linguistic precision. Indeed, we confess that one of us thought “crème” was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter, a product often found in another aisle of the supermarket.”

Judge Kayatta further wrote: “None of this is to say that our dissenting colleague’s reading is by any means unreasonable. To the contrary, we ourselves would likely land upon that reading were we in the grocery aisle with some time to peruse the package.”

In her dissent, Judge Lynch said that she disagreed with the majority that this presented a “close” question – in her view “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is ‘100% Arabica Coffee.’”  Aside from noting that the package ingredient only said it included 100% Arabica coffee and never said it contained an actual nut, Judge Lynch explained how the word “Crème” means, both in the dictionary and in common parlance, a cream or cream sauce as used in cookery or a sweet liqueur, with the latter usually “used with the flavor specified” (citing Webster’s) – in short, “hazelnut Crème” clearly indicates a flavoring, not an ingredient. The majority’s hazelnut cake analogy was inapt because cakes are “made up of many ingredients.” .

My thoughts on this opinion are, first, it sounds like a lively chambers discussion, and second, I wonder about the degree to which each of the members of the panel does his or her own grocery shopping, and, if so, whether he or she reads labels, and whether this, consciously or not, influenced their thinking.

Since according to the majority opinion, either Judge Kayatta or Judge Torruella thought “Hazelnut Crème” meant hazelnut butter (really? in coffee? And despite the fact no dairy product was listed on the label?), did the majority reason that it follows that a reasonable consumer could be confused, because obviously the members of the majority are reasonable consumers? As noted above, the majority stated that “we” would “likely” realize there was no actual hazelnut in the coffee “were we in the grocery aisle with some time to peruse the package.” Are they saying that’s not the reasonable consumer standard –someone with time to peruse a package? It’s unreasonable to have them look at the ingredients? Or is the majority saying “likely” isn’t good enough to avoid a jury question?

©2019 Pierce Atwood LLP. All rights reserved.

Privacy Legislation Proposed in New York

The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224.

The proposed legislation is not nearly as extensive as the CCPA and is perhaps more analogous to California’s Shine the Light Law. The proposed legislation would require a “business that retains a customer’s personal information [to] make available to the customer free of charge access to, or copies of, all of the customer’s personal information retained by the business.” It also would require businesses that disclose customer personal information to third parties to disclose certain information to customers about the third parties and the personal information that is shared. Businesses would have to provide this information within 30 days of a customer request and for a twelve-month lookback period. The rights also would have to be disclosed in online privacy notices. Notably, the bill would create a private right of action for violations of its provisions.

We will continue to monitor this legislation and any other proposed legislation.

Copyright © by Ballard Spahr LLP.

This post was written by David M. Stauss of Ballard Spahr LLP.