Tag: Consumer Protection

CCPA Alert: California Attorney General Releases Draft Regulations

On October 10, 2019, the California Attorney General released the highly anticipated draft regulations for the California Consumer Privacy Act (CCPA). The regulations focus heavily on three main areas: 1) notices to consumers, 2) consumer requests and 3) verification requirements. While the regulations focus heavily on these three topics, they also discuss special rules for minors, non-discrimination standards and other aspects of the CCPA. Despite high hopes, the regulations do not provide the clarity many companies desired. Instead, the regulations layer on new requirements while sprinkling in further ambiguities.

The most surprising new requirements proposed in the regulations include:

  • New disclosure requirements for businesses that collect personal information from more than 4,000,000 consumers
  • Businesses must acknowledge the receipt of consumer requests within 10 days
  • Businesses must honor “Do Not Sell” requests within 15 days and inform any third parties who received the personal information of the request within 90 days
  • Businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection

The following are additional highlights from each of the three main areas:

1. Notices to consumers

The regulations discuss four types of notices to consumers: notice at the time of collection, notice of the right to opt-out of the sale of personal information, notice of financial incentives and a privacy policy. All required notices must be:

  • Easy to read in plain, straightforward language
  • In a format that draws the consumer’s attention to the notice
  • Accessible to those with disabilities
  • Available in all languages in which the company regularly conducts business

The regulations make clear that it is necessary, but not sufficient, to update your privacy policy to be compliant with CCPA. You must also provide notice to consumers at the time of data collection, which must be visible and accessible before any personal information is collected. The regulations make clear that no personal information may be collected without proper notice. You may use your privacy policy as the notice at the time of collection, but you must link to a specific section of your privacy policy that provides the statutorily required notice.

The regulations specifically provide that for offline collection, businesses could provide a paper version of the notice or post prominent signage. Similar to General Data Protection Regulation (GDPR), a company may only use personal information for the purposes identified at the time of collection. Otherwise, the business must obtain explicit consent to use the personal information for a new purpose.

In addition to the privacy policy requirements in the statute itself, the regulations require more privacy policy disclosures. For example, the business must include instructions on how to verify a consumer request and how to exercise consumer rights through an agent. Further, the privacy policy must identify the following information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed. For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times. Given the additional nuances of the disclosure requirements, we recommend working with counsel to develop your privacy policy.

If a business provides financial incentives to a consumer for allowing the sale of their personal information, then the business must provide a notice of the financial incentive. The notice must include a description of the incentive, its material terms, instructions on how to opt-in to the incentive, how to withdraw from the incentive and an explanation of why the incentive is permitted by CCPA.

Finally, the regulations state that service providers that collect personal information on behalf of a business may not use that personal information for their own purposes. Instead, they are limited to performing only their obligations under the contract between the business and service provider. The contract between the parties must also include the provisions described in CCPA to ensure that the relationship is a service provider/business relationship, and not a sale of personal information between a business and third party.

2. Consumer requests

Businesses must provide at least two methods for consumers to submit requests (most commonly an online form and a toll-free number), and one of the methods must reflect the manner in which the business primarily interacts with the consumer. In addition, businesses that substantially interact with consumers offline must provide an offline method for consumers to exercise their right to opt-out, such as providing a paper form. The regulations specifically call out that in-person retailers may therefore need three methods: a paper form, an online form and a toll-free number.

The regulations do limit some consumer request rights by prohibiting the disclosure of Social Security numbers, driver’s license numbers, financial account numbers, medical-related identification numbers, passwords, and security questions and answers. Presumably, this is for two reasons: the individual should already know this information and most of these types of information are subject to exemptions from CCPA.

One of the most notable clarifications related to requests is that the 45-day timeline to respond to a consumer request includes any time required to verify the request. Additionally, the regulations introduce a new timeline requirement for consumer requests. Specifically, businesses must confirm receipt of a request within 10 days. Another new requirement is that businesses must respond to opt-out requests within 15 days and must inform all third parties to stop selling the consumer’s information within 90 days. Further, the regulations require that businesses maintain request records logs for 24 months.

3. Verification requirements

The most helpful guidance in the regulations relates to verification requests. The regulations provide that a more rigorous verification process should apply to more sensitive information. That is, businesses should not release sensitive information without being highly certain about the identity of the individual requesting the information. Businesses should, where possible, avoid collecting new personal information during the verification process and should instead rely on confirming information already in the business’ possession. Verification can be through a password-protected account provided that consumers re-authenticate themselves. For websites that provision accounts to users, requests must be made through that account. Matching two data points provided by the consumer with data points maintained by the business constitutes verification to a reasonable degree of certainty, and the matching of three data points constitutes a high degree of certainty.

The regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified. For example, if a business cannot verify the identity of a person making a request for access, then the business may proceed as if the consumer requested disclosure of only the categories of personal information, as opposed to the content of such personal information. If a business cannot verify a request for deletion, then the business should treat the request as one to opt-out of the sale of personal information.

Next steps

These draft regulations add new wrinkles, and some clarity, to what is required for CCPA compliance. As we move closer to January 1, 2020 companies should continue to focus on preparing compliant disclosures and notices, finalizing their privacy policies and establishing procedures to handle consumer requests. Despite the need to press forward on compliance, the regulations are open to initial public comment until December 6, 2019, with a promise to finalize the regulations in the spring of 2020. We expect further clarity as these draft regulations go through the comment process and privacy professionals, attorneys, businesses and other stakeholders weigh in on their clarity and reasonableness.

Copyright © 2019 Godfrey & Kahn S.C.

For more on CCPA implementation, see the National Law Review Consumer Protection law page.

The CCPA Is Approaching: What Businesses Need to Know about the Consumer Privacy Law

The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), will take effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.

While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.

Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.

Does the CCPA apply to my business?

Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.

The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:

  • Has annual gross revenues in excess of $25 million; or
  • Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information

While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.

What is considered “personal information” under the CCPA?

The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.

As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.

When does a business “collect” personal information under the CCPA?

To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.

To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.

If a business collects personal information but never sells any of it, does the CCPA still apply?

Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.

What new rights does the CCPA give to California consumers?

The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.

What new obligations does a business have regarding these new consumer rights?

Businesses that fall under the purview of the CCPA have a number of new obligations under the law:

  • A business must take certain steps to assist individual consumers with exercising their rights under the CCPA. This must be accomplished by providing a link on the business’s homepage titled “Do Not Sell My Personal Information” and a separate landing page for the same. In addition, a business must update its privacy policy (or policies), or a California-specific portion of the privacy policy, to include a separate link to the new “Do Not Sell My Personal Information” page.

A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.

  • Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
  • Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Specific pieces of personal information that the business possesses about the consumer;
    • Categories of sources from which the business received personal information about the consumer;
    • A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
    • The categories of third parties with whom the business has shared the consumer’s personal information.
  • Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Categories of personal information that the business has sold about the consumer;
    • Categories of third parties to whom the business has sold the consumer’s personal information; and
    • The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
  • Finally, a business must further update its privacy policy (or policies), or the California-specific section of such policy(s), to:
    • Identify all new rights afforded consumers by the CCPA;
    • Identify the categories of personal information that the business has collected in the preceding 12 months;
    • Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
    • Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
    • Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.

What about employee data gathered by employers for internal workplace purposes?

As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The bill awaits the governor’s signature – he has until October 13, 2019 to sign.

But not so fast – Bill AB 25 only creates a one-year reprieve for employers, rather than a permanent exception. The exceptions listed above will expire on January 1, 2021. By that time, the legislature may choose to extend the exceptions indefinitely, or businesses should be prepared to fully comply with the CCPA.

California employers would thus be wise to start considering the type of employee data they collect, and whether that information may eventually become subject to the CCPA’s requirements (either on January 1, 2021 or thereafter). Personal information is likely to be present in an employee’s job application, browsing history, and information related to payroll processing, to name a few areas. It also includes biometric data, such as fingerprints scanned for time-keeping purposes. Employers who collect employees’ biometric information, for example, would be well advised to review their biometric policies so that eventual compliance with the CCPA can be achieved gradually during this one-year grace period.

Notwithstanding this new legislation, there remains little clarity as to how the law will ultimately be applied in the employer-employee context, if and when the exceptions expire. Employers are encouraged to err on the side of caution and to reach out to experienced legal counsel for further guidance if they satisfy any one of the above thresholds.

What are the penalties for violation of the CCPA?

Violations of the CCPA are enforced by the California Attorney General’s office, which can issue civil monetary fines of up to $2,500 per violation, or $7,500 for each intentional violation. Currently, the California AG’s office must provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine.

Are there any exceptions to the CCPA?

Yes, there are a number of exceptions. First, the CCPA only applies to California consumers and businesses that meet the threshold(s) identified above. If a business operates or conducts a transaction wholly outside of California then the CCPA does not apply.

There are also certain enumerated exceptions to account for federal law, such that the CCPA is pre-empted by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act as it applies to personal information sold to or purchased from a credit reporting agency, and information subject to the Driver’s Privacy Protection Act.

Would it be fair to say that the CCPA is not very clear, and maybe even a bit confusing?

Yes, it would. The CCPA was drafted, debated, and enacted into law very quickly in the face of some legislative and ballot-driven pressures. As a result, the bill as enacted is a bit confusing and even contains sections that appear to contradict its other parts. The drafters of the CCPA, however, recognized this and have included provisions for the California AG’s office to provide further guidance on its intent and meaning. Amendment efforts also remain underway. As such, it is likely that the CCPA will be an evolving law for at least the short term.

Regardless, the CCPA will impose real-world requirements effective January 1, 2020, and the new wave of consumer privacy legislation it has inspired at the state and federal level is likely to bring even more of the same. It is important to address these issues now, rather than when it is too late.

© 2019 Much Shelist, P.C.

For more on the CCPA legislation, see the National Law Review Consumer Protection law page.

What are Consumers Claiming in Juul Lawsuits?

Within the past decade, regular tobacco users have turned to electronic cigarettes in an effort to wean off of traditional cigarettes, believing them to be a safer option for human health. E-cigarettes, also known as nicotine vaporizers, vaporizer cigarettes, or simply vape pens, have grown in popularity over the past several years, partially driven by the debut of Juul’s e-cig devices in 2015. Now, Juul Labs is a leading manufacturer of e-cigarette devices and e-liquid flavors nationwide. Despite its growing popularity, especially among teens and young adults, Juul has been at the center of several consumer legal battles, most of which allege that Juul’s e-cig devices are extremely detrimental to users’ health. Several suits have been filed by parents or guardians on behalf of teenage children.

Several consumers have accused Juul Labs of deliberately marketing its products to appeal to the younger generation. A lawsuit recently filed by the father of a Carmel, Indiana teen in the U.S. District Court in Indianapolis alleged that his son was enticed by the rainbow colors and fruity flavors of Juul’s e-cigarette products, which contained excessive levels of nicotine. The teen later developed an intense nicotine addiction and fears that his addiction may lead to health problems throughout his life.

Other suits have similarly claimed that Juul specifically targets underage markets with its presence on several social media platforms and use of online influencers to attract teen users.

This is not the first attack against Juul’s advertising practices. Stanford University researchers evaluated Juul’s marketing campaigns over its first three years on the market, and the resulting impact on teens and young adults, in a January 2019 study.

By analyzing Juul’s website, social media platforms, hashtags, and customer campaign emails, the researchers concluded that, “Juul’s advertising imagery in its first [six] months on the market was patently youth oriented.” Though Juul representatives have repeatedly denied that the company intentionally targets a younger generation in its marketing, the study revealed how Juul, “continued to engage in advertising either targeted to youth…or by placing its promotional material preferentially in youth consumed media channels…”

Juul lawsuits have also been filed in response to defective vape batteries and device explosions. Juul’s e-cigarette products are operated by lithium-ion batteries, which can allegedly overheat and explode. In several instances, vape explosions have damaged users’ mouths, hands, and other body parts, causing burns, broken jaws, and even deaths. Treacy Gangi, for example, filed a lawsuit in November 2017 on behalf of her husband who was killed by an exploding e-cigarette, similar to a Juul device.

Another lawsuit recently filed by an Ohio mother on behalf of her two teen daughters claimed that Juul failed to warn its customers of the high levels of nicotine in its devices. The complaint stated that the two twin daughters, who are now 16 years old, began vaping in 2016 and initially purchased the devices in a store that “knowingly sold e-cigarettes to underage customers.” The teens quickly became addicted to their e-cigarettes and were eventually vaping two Juul pods a day. According to the lawsuit, one Juul pod contains the same amount of nicotine as two packs of cigarettes.

Similar lawsuits have claimed that in addition to containing excessive levels of nicotine, Juul products are advertised as being a healthier alternative to traditional cigarettes. Recent cases, however, have shown that vaping Juul e-cigarettes is linked to a number of health conditions, including heart disease, lung damage, and seizures. The Centers for Disease Control and Prevention (CDC) is inspecting the recent hospitalizations of more than 149 individuals whose health problems are linked to vaping. The patients, who are predominantly teens and young adults, reportedly developed severe lung illnesses that have been associated with vaping.

According to recent cases, vaping also puts users at risk of experiencing seizures, which is a known symptom of nicotine poisoning. The FDA has received about 127 reports of seizures linked to vaping since 2010, and issued a warning about the potential correlation between vaping and seizures (convulsions) in April 2019.

Amid a lack of research and information on the health risks of using e-cigarettes, an Illinois patient was reportedly the first to die of a lung illness that was associated with vaping. Health experts say that more research needs to be done in order to understand the health implications of vaping, before other users face a similar fate.

Copyright © 2019 Katy Moncivais, Ph.D.

For more on vaping related litigation see the National Law Review Biotech, Food & Drug law page.

Sometimes You Feel Like a Nut

In a spit decision, the First Circuit reversed a dismissal of a putative class action in a Massachusetts consumer protection case. Dumond v. Reily Foods Co., No. 18-2055 (1st Cir. Aug. 8, 2019)

The defendant New England Coffee Company sells a “Hazelnut Crème” coffee. The plaintiff sued because the coffee contains no nut – it’s all coffee, no nut, only nut flavored. The district court dismissed the complaint without leave to amend on the basis that the complaint wasn’t sufficiently specific. After rejecting that ground for dismissal and also rejecting a preemption argument, the majority noted that the defendants argued as an alternative ground to support the dismissal that the factual allegations complaint failed to state a plausible claim, and that’s the part of the decision that interests us.

Whether the label was deceptive, Judge Kayatta, writing for himself and Judge Torruella, opined was a question of fact. While the label said it was “100% Arabica coffee” and listed no hazelnut as an ingredient, Judge Kayatta said that perhaps a reasonable factfinder could conclude the name of the product was sufficient, without having to read the “fine print,” “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”

Responding to the dissent, Judge Kayatta wrote:  “Our dissenting colleague [Judge Lynch] envisions a more erudite reader of labels, tipped off by the accent grave on the word “crème,” and armed perhaps with several dictionaries, a bit like a federal judge reading a statute. We are less confident that ‘common parlance’ would exhibit such linguistic precision. Indeed, we confess that one of us thought “crème” was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter, a product often found in another aisle of the supermarket.”

Judge Kayatta further wrote: “None of this is to say that our dissenting colleague’s reading is by any means unreasonable. To the contrary, we ourselves would likely land upon that reading were we in the grocery aisle with some time to peruse the package.”

In her dissent, Judge Lynch said that she disagreed with the majority that this presented a “close” question – in her view “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is ‘100% Arabica Coffee.’”  Aside from noting that the package ingredient only said it included 100% Arabica coffee and never said it contained an actual nut, Judge Lynch explained how the word “Crème” means, both in the dictionary and in common parlance, a cream or cream sauce as used in cookery or a sweet liqueur, with the latter usually “used with the flavor specified” (citing Webster’s) – in short, “hazelnut Crème” clearly indicates a flavoring, not an ingredient. The majority’s hazelnut cake analogy was inapt because cakes are “made up of many ingredients.” .

My thoughts on this opinion are, first, it sounds like a lively chambers discussion, and second, I wonder about the degree to which each of the members of the panel does his or her own grocery shopping, and, if so, whether he or she reads labels, and whether this, consciously or not, influenced their thinking.

Since according to the majority opinion, either Judge Kayatta or Judge Torruella thought “Hazelnut Crème” meant hazelnut butter (really? in coffee? And despite the fact no dairy product was listed on the label?), did the majority reason that it follows that a reasonable consumer could be confused, because obviously the members of the majority are reasonable consumers? As noted above, the majority stated that “we” would “likely” realize there was no actual hazelnut in the coffee “were we in the grocery aisle with some time to peruse the package.” Are they saying that’s not the reasonable consumer standard –someone with time to peruse a package? It’s unreasonable to have them look at the ingredients? Or is the majority saying “likely” isn’t good enough to avoid a jury question?

©2019 Pierce Atwood LLP. All rights reserved.

Privacy Legislation Proposed in New York

The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224.

The proposed legislation is not nearly as extensive as the CCPA and is perhaps more analogous to California’s Shine the Light Law. The proposed legislation would require a “business that retains a customer’s personal information [to] make available to the customer free of charge access to, or copies of, all of the customer’s personal information retained by the business.” It also would require businesses that disclose customer personal information to third parties to disclose certain information to customers about the third parties and the personal information that is shared. Businesses would have to provide this information within 30 days of a customer request and for a twelve-month lookback period. The rights also would have to be disclosed in online privacy notices. Notably, the bill would create a private right of action for violations of its provisions.

We will continue to monitor this legislation and any other proposed legislation.

Copyright © by Ballard Spahr LLP.

This post was written by David M. Stauss of Ballard Spahr LLP.

California’s Turn: California Consumer Privacy Act of 2018 Enhances Privacy Protections and Control for Consumers

On Friday, June 29, 2018, California passed comprehensive privacy legislation, the California Consumer Privacy Act of 2018.  The legislation is some of the most progressive privacy legislation in the United States, with comparisons drawn to the European Union’s General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018.  Karen Schuler, leader of BDO’s National Data and Information Governance and a former forensic investigator for the SEC, provides some insight into this legislation, how it compares to the EU’s GDPR, and how businesses can navigate the complexities of today’s privacy regulatory landscape.

California Consumer Privacy Act 2018

The California Consumer Privacy Act of 2018 was passed by both the California Senate and Assembly, and quickly signed into law by Governor Brown, hours before a deadline to withdraw a voter-led initiative that could potentially put into place even stricter privacy regulations for businesses.  This legislation will have a tremendous impact on the privacy landscape in the United States and beyond, as the legislation provides consumers with much more control of their information, as well as an expanded definition of personal information and the ability of consumers to control whether companies sell or share their data.  This law goes into effect on January 1, 2020. You can read more about the California Privacy Act of 2018 here.

California Privacy Legislation v. GDPR

In many ways, the California law has some similarities to GDPR, however, there are notable differences, and ways that the California legislation goes even further.

Karen Schuler, leader of BDO’s National Data & Information Governance practice and former forensic investigator for the SEC, points out:

“the theme that resonates throughout both GDPR and the California Consumer Privacy Act is to limit or prevent harm to its residents. . . both seem to be keenly focused on lawful processing of data, as well as knowing where your personal information goes and ensuring that companies protect data accordingly.”

One way California goes a bit further is in the ability of consumers to prevent a company from selling or otherwise sharing consumer information.  Schuler says, “California has proposed that if a consumer chooses not to have their information sold, then the company must respect that.” While GDPR was data protections for consumers, and allows consumers rights as far as modifying, deleting and accessing their information, there is no precedent where GDPR can stop a company from selling consumer data if the company has a legal basis to do so.

In terms of a compliance burden, Schuler hypothesizes that companies who are in good shape as far as GDPR goes might have a bit of a head start in terms of compliance with the California legislation, however, there is still a lot of work to do before the law goes into effect on January 1, 2020.  Schuler says, “There are also different descriptions of personal data between regulations like HIPAA, PCI, GDPR and others that may require – under this law – companies to look at their categorizations of data. For some organizations this is an extremely large undertaking.”

Compliance with Privacy Regulations: No Short-Cuts

With these stricter regulations coming into play, companies are in a place where understanding data flows is of primary importance. In many ways, GDPR compliance was a wake-up call to the complexities of data privacy issues in companies.  Schuler says, “Ultimately, we have found that companies are making good strides against becoming GDPR compliant, but that they may have waited too long and underestimated the level of effort it takes to institute a strong privacy or GDPR governance program.”  When talking about how companies institute compliance to whatever regulation they are trying to understand and implement, Schuler says, “It is critical companies understand where data exists, who stores it, who has access to it, how its categorized and protected.” Additionally, across industries companies are moving to a culture of mindfulness around privacy and data security issues, a lengthy process that can require a lot of training and requires buy-in from all levels of the company.

While the United States still has a patchwork of privacy regulations, including breach notification statutes, this California legislation could be a game-changer.  What is clear is that companies will need to contend with privacy legislation and consumer protections. Understanding the data flows in an organization is crucial to compliance, and it turns out GDPR may have just been the beginning.

This post was written by Eilene Spear.

Copyright ©2018 National Law Forum, LLC.

California May Be Headed Towards Sweeping Consumer Privacy Protections

On June 21st, California legislature Democrats reached a tentative agreement with a group of consumer privacy activists spearheading a ballot initiative for heightened consumer privacy protections, in which the activists would withdraw the the existing ballot initiative in exchange for the California legislature passing, and Governor Jerry Brown signing into law, a similar piece of legislation, with some concessions, by June 28th, the final deadline to withdraw ballot initiatives.  If enacted, the Act would take effect January 1, 2020.

In the “compromise bill”, Assemblyman Ed Chau (D-Arcadia) amended the California Consumer Privacy Act of 2018, (AB 375) to ensure the consumer privacy activists, and conversely ballot initiative opponents, would be comfortable with its terms.

Some of the key consumer rights allotted for in AB 375 include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;

  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of any 3rd parties to which the information was sold or disclosed;

  • A consumer’s right to opt-out of the sale of personal information by a business prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

Covered entities under AB 375 would include, any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, OR (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Though far reaching, the amended AB 375 limits legal damages and provides significant concessions to business opponents of the bill. For example, the bill allows a business 30 days to “cure” any alleged violations prior to the California attorney general initiating legal action. Similarly, while a private action is permissible, a consumer is required to provide a business 30 days written notice before instituting an action, during which time the business has the same 30 days to “cure” any alleged violations.  Specifically, the bill provides: “In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”  Civil penalties for actions brought by the Attorney General are capped at $7,500 for each intentional violation.  The damages in any private action brought by a consumer are not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

Overall, consumer privacy advocates are pleased with the amended legislation which is “substantially similar to our initiative”, said Alastair Mactaggart, a San Francisco real estate developer leading the ballot initiative. “It gives more privacy protection in some areas, and less in others.”

The consumer rights allotted for in the amended version of the California Consumer Privacy Act of 2018, are reminiscent of those found in the European Union’s sweeping privacy regulations, the General Data Protection Regulation (“GDPR”) (See Does the GDPR Apply to Your U.S. Based Company?), that took effect May 25th. Moreover, California is not the only United States locality considering far reaching privacy protections. Recently, the Chicago City Council introduced the Personal Data Collection and Protection Ordinance, which, inter alia, would require opt-in consent from Chicago residents to use, disclose or sell their personal information. On the federal level, several legislative proposals are being considered to heighten consumer privacy protection, including the Consumer Privacy Protection Act, and the Data Security and Breach Notification Act.

 

Jackson Lewis P.C. © 2018
This post was written by Joseph J. Lazzarotti of Jackson Lewis P.C.

California AG Leads Attack on Lead in Infant Formula

Fresh off a victory in the CA primary, California Attorney General Xavier Bacerra filed suit on June 7, 2018 against Nutraceutical Corporation of Park City, Utah and Graceleigh, Inc. dba Sammy’s Milk of Newport Beach, CA, alleging violations of California’s Proposition 65 and California’s consumer protection laws.

At issue are Sammy’s Milk Free-Range Goat Milk Toddler Formula, made by Graceleigh, and Peaceful Planet Toddler Supreme Formula, a rice formula made by Nutraceutical. The complaint, filed in Alameda County, CA, alleges that the levels of lead in both products result in exposures above the Provisional Total Tolerable Intake level for lead of 6 micrograms per day (“ug/day”) applicable to children 6 years of age and younger, as set by the U.S. Food and Drug Administration. A statement issued by the AG asserts that State testing showed that the products actually cause lead exposure between 13 and 15 times the maximum allowable dose under California law. The AG’s office also advised that both companies have voluntarily agreed to stop selling the products at issue in California.

Prop 65 Claims

Lead was placed on the Prop 65 list on two occasions: on February 27, 1987 for reproductive toxicity and on October 1, 1992 for cancer.

Nutraceutical said it intends to vigorously contest the suit, which it said lacks merit. The company has reported that its Toddler Supreme protein supplement’s ingredient levels comply with applicable laws and regulations and don’t pose any safety risk to consumers, based on an opinion from a former FDA toxicologist. An issue will be if the levels meet the safe harbor provisions for lead, which would preclude the requirements for a Prop 65 warning. Prop 65 safe harbors do not always align with FDA standards.  The no significant risk level (“safe harbor”) for a cancer warning regarding lead is 15 ug/day (oral exposure). The maximum allowable dose level (“safe harbor”) for a reproductive toxicity warning regarding lead is 0.5 ug/day.

Claims Under CA Consumer Protection Laws

The complaint further alleges that due to the excess levels of lead, the products are adulterated within the meaning of the California Sherman Food, Drug and Cosmetic laws and therefore violates the unlawful prong of CA Bus. & Prof. Code section 17200. The false and misleading statements  of the two companies are alleged to also violate  CA Bus. & Prof. Code sections 17200 and 17500 in the following ways:

  • With respect to Graceleigh, by asserting that its ingredients in Sammy’s milk are “selected for purity” and provide “clean nutrition.”
  • With respect to Nutraceutical, by asserting that its Peaceful Planet product is “CLEAN” and “PURE.”

The State has requested that the court award both injunctive relief and civil penalties (Prop 65 statute calls for $2500 per violation).

We will continue to follow this case and other actions in California related to the continued assault on lead contamination of consumer and children’s products.

 

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
Read more on California legal updates on our California jurisdiction page.

CPSC Finalizes Ban on Certain Children’s Toys and Child Care Articles

On October 27, 2017, the U.S. Consumer Product Safety Commission (“CPSC”) issued a final rule prohibiting children’s toys and child care articles that contain concentrations of more than 0.1 percent of certain phthalates.

What’s Prohibited

The final rule states children’s toys and child care articles containing concentrations of more than 0.1 percent of diisononyl phthalate (“DINP”), diisobutyl phthalate (“DIBP”), di-n-pentyl phthalate (“DPENP”), di-n-hexyl phthalate (“DHEXP”), and dischyclohexyl phthalate (“DCHP”) are prohibited.

Section 108 of the Consumer Product Safety Improvement Act (“CPSIA”) prohibits the manufacture for sale, offer for sale, distribution in commerce, or importation into the U.S. of any children’s toy or child care article that contains these concentrations of certain phthalates.  Children’s toys include consumer products designed or intended by the manufacturer for a child 12 years or younger for use by the child when the child plays.  A child care article is a consumer product designed or intended by the manufacturer to facilitate sleep or the feeding of children age 3 and younger, or to help such children with sucking or teething.

What Are Phthalates

The most common phthalate, DINP, is added to some plastics to make them flexible and is commonly found in automobile interiors, wire and cable insulation, gloves, tubing, garden hoses, and shoes.  DINP is also found in flexible vinyl materials that are used in the production of bedding, garments, outdoor products such as tents and book binders.  Non-PVC or vinyl products include inks, adhesives, sealants, paints and lacquers.  DINP is also a listed substance known to cause cancer under California’s Proposition 65 and products must provide a warning about exposure.

The CPSC determined that because DIBP, DPENP, DHEXP, and DCHP aren’t widely used, few manufacturers will be impacted and need to reformulate their products.  Examples of products containing these phthalates are coating products, fillers, plasters, binding agents, paints, adhesives,

Who’s Affected

The final rule expanded the interim rule concerning DINP to cover all children’s toys, not just those that can be placed in a child’s mouth.  Children’s toys that can be placed in a child’s mouth and child care articles containing more than 0.1 percent of DINP have been prohibited since 2009.  Manufacturers won’t have to reformulate products in these categories.  Only manufacturers of children’s toys that cannot be placed in a child’s mouth will be affected by the final rule.

The final rule applies to both domestic manufacturers and importers and will not be a barrier to international trade.  The prohibition involving DINP applies regardless of the origin of the DINP or the phthalate formulation used.  Children’s toys and child care articles containing DINP in concentrations greater than 0.1 percent are prohibited even if DINP was not intentionally added.

The final rule becomes effective April 25, 2018 and applies to products manufactured or imported on or after that date.

This post was written by Ayako Hobbs of Squire Patton Boggs (US) LLP., © Copyright 2017
For more legal analysis go to The National Law Review

Sears Seeks to Modify FTC Order on Online Tracking

In 2009, Sears Holding Management settled with the Federal Trade Commission (FTC) over allegations that the company’s online tracking activity exceeded what they told consumers. Now, Sears has submitted a petition requesting that the FTC reopen and modify its settlement order, arguing that changing technology since 2009 has made the order’s definition of “tracking applications” too broad and has put them at a competitive disadvantage.

The 2009 FTC complaint charged that Sears “failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application, telling consumers that the software would track their “online browsing,” without telling them that it also collected information from third-party websites consumers visited such as their shopping cart information, online bank statements, and drug prescription records. Sears was required to stop collecting data from participating consumers and to destroy what they’d collected.

Sears now argues that the definition of “tracking application” in the FTC’s order now applies to most software on nearly all platforms, making them “out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy.” The definition of tracking applications is so broad, Sears claims, that it “encompasses all of Sears’ current mobile apps, forcing Sears to handle disclosures differently than other companies with mobile apps and disadvantaging Sears in the marketplace.” Sears claims that modification of the order would allow the retailer to align with current tracking practices used by their competitors.

 This post was written by Sheila A. Millar ,Tracy P. Marshall Nathan A. Cardon of Keller and Heckman LLP.,© 2017
For more legal analysis, go to The National Law Review