Tag: Consumer Protection

California’s Turn: California Consumer Privacy Act of 2018 Enhances Privacy Protections and Control for Consumers

On Friday, June 29, 2018, California passed comprehensive privacy legislation, the California Consumer Privacy Act of 2018.  The legislation is some of the most progressive privacy legislation in the United States, with comparisons drawn to the European Union’s General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018.  Karen Schuler, leader of BDO’s National Data and Information Governance and a former forensic investigator for the SEC, provides some insight into this legislation, how it compares to the EU’s GDPR, and how businesses can navigate the complexities of today’s privacy regulatory landscape.

California Consumer Privacy Act 2018

The California Consumer Privacy Act of 2018 was passed by both the California Senate and Assembly, and quickly signed into law by Governor Brown, hours before a deadline to withdraw a voter-led initiative that could potentially put into place even stricter privacy regulations for businesses.  This legislation will have a tremendous impact on the privacy landscape in the United States and beyond, as the legislation provides consumers with much more control of their information, as well as an expanded definition of personal information and the ability of consumers to control whether companies sell or share their data.  This law goes into effect on January 1, 2020. You can read more about the California Privacy Act of 2018 here.

California Privacy Legislation v. GDPR

In many ways, the California law has some similarities to GDPR, however, there are notable differences, and ways that the California legislation goes even further.

Karen Schuler, leader of BDO’s National Data & Information Governance practice and former forensic investigator for the SEC, points out:

“the theme that resonates throughout both GDPR and the California Consumer Privacy Act is to limit or prevent harm to its residents. . . both seem to be keenly focused on lawful processing of data, as well as knowing where your personal information goes and ensuring that companies protect data accordingly.”

One way California goes a bit further is in the ability of consumers to prevent a company from selling or otherwise sharing consumer information.  Schuler says, “California has proposed that if a consumer chooses not to have their information sold, then the company must respect that.” While GDPR was data protections for consumers, and allows consumers rights as far as modifying, deleting and accessing their information, there is no precedent where GDPR can stop a company from selling consumer data if the company has a legal basis to do so.

In terms of a compliance burden, Schuler hypothesizes that companies who are in good shape as far as GDPR goes might have a bit of a head start in terms of compliance with the California legislation, however, there is still a lot of work to do before the law goes into effect on January 1, 2020.  Schuler says, “There are also different descriptions of personal data between regulations like HIPAA, PCI, GDPR and others that may require – under this law – companies to look at their categorizations of data. For some organizations this is an extremely large undertaking.”

Compliance with Privacy Regulations: No Short-Cuts

With these stricter regulations coming into play, companies are in a place where understanding data flows is of primary importance. In many ways, GDPR compliance was a wake-up call to the complexities of data privacy issues in companies.  Schuler says, “Ultimately, we have found that companies are making good strides against becoming GDPR compliant, but that they may have waited too long and underestimated the level of effort it takes to institute a strong privacy or GDPR governance program.”  When talking about how companies institute compliance to whatever regulation they are trying to understand and implement, Schuler says, “It is critical companies understand where data exists, who stores it, who has access to it, how its categorized and protected.” Additionally, across industries companies are moving to a culture of mindfulness around privacy and data security issues, a lengthy process that can require a lot of training and requires buy-in from all levels of the company.

While the United States still has a patchwork of privacy regulations, including breach notification statutes, this California legislation could be a game-changer.  What is clear is that companies will need to contend with privacy legislation and consumer protections. Understanding the data flows in an organization is crucial to compliance, and it turns out GDPR may have just been the beginning.

This post was written by Eilene Spear.

Copyright ©2018 National Law Forum, LLC.

California May Be Headed Towards Sweeping Consumer Privacy Protections

On June 21st, California legislature Democrats reached a tentative agreement with a group of consumer privacy activists spearheading a ballot initiative for heightened consumer privacy protections, in which the activists would withdraw the the existing ballot initiative in exchange for the California legislature passing, and Governor Jerry Brown signing into law, a similar piece of legislation, with some concessions, by June 28th, the final deadline to withdraw ballot initiatives.  If enacted, the Act would take effect January 1, 2020.

In the “compromise bill”, Assemblyman Ed Chau (D-Arcadia) amended the California Consumer Privacy Act of 2018, (AB 375) to ensure the consumer privacy activists, and conversely ballot initiative opponents, would be comfortable with its terms.

Some of the key consumer rights allotted for in AB 375 include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;

  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of any 3rd parties to which the information was sold or disclosed;

  • A consumer’s right to opt-out of the sale of personal information by a business prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

Covered entities under AB 375 would include, any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, OR (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Though far reaching, the amended AB 375 limits legal damages and provides significant concessions to business opponents of the bill. For example, the bill allows a business 30 days to “cure” any alleged violations prior to the California attorney general initiating legal action. Similarly, while a private action is permissible, a consumer is required to provide a business 30 days written notice before instituting an action, during which time the business has the same 30 days to “cure” any alleged violations.  Specifically, the bill provides: “In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”  Civil penalties for actions brought by the Attorney General are capped at $7,500 for each intentional violation.  The damages in any private action brought by a consumer are not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

Overall, consumer privacy advocates are pleased with the amended legislation which is “substantially similar to our initiative”, said Alastair Mactaggart, a San Francisco real estate developer leading the ballot initiative. “It gives more privacy protection in some areas, and less in others.”

The consumer rights allotted for in the amended version of the California Consumer Privacy Act of 2018, are reminiscent of those found in the European Union’s sweeping privacy regulations, the General Data Protection Regulation (“GDPR”) (See Does the GDPR Apply to Your U.S. Based Company?), that took effect May 25th. Moreover, California is not the only United States locality considering far reaching privacy protections. Recently, the Chicago City Council introduced the Personal Data Collection and Protection Ordinance, which, inter alia, would require opt-in consent from Chicago residents to use, disclose or sell their personal information. On the federal level, several legislative proposals are being considered to heighten consumer privacy protection, including the Consumer Privacy Protection Act, and the Data Security and Breach Notification Act.

 

Jackson Lewis P.C. © 2018
This post was written by Joseph J. Lazzarotti of Jackson Lewis P.C.

California AG Leads Attack on Lead in Infant Formula

Fresh off a victory in the CA primary, California Attorney General Xavier Bacerra filed suit on June 7, 2018 against Nutraceutical Corporation of Park City, Utah and Graceleigh, Inc. dba Sammy’s Milk of Newport Beach, CA, alleging violations of California’s Proposition 65 and California’s consumer protection laws.

At issue are Sammy’s Milk Free-Range Goat Milk Toddler Formula, made by Graceleigh, and Peaceful Planet Toddler Supreme Formula, a rice formula made by Nutraceutical. The complaint, filed in Alameda County, CA, alleges that the levels of lead in both products result in exposures above the Provisional Total Tolerable Intake level for lead of 6 micrograms per day (“ug/day”) applicable to children 6 years of age and younger, as set by the U.S. Food and Drug Administration. A statement issued by the AG asserts that State testing showed that the products actually cause lead exposure between 13 and 15 times the maximum allowable dose under California law. The AG’s office also advised that both companies have voluntarily agreed to stop selling the products at issue in California.

Prop 65 Claims

Lead was placed on the Prop 65 list on two occasions: on February 27, 1987 for reproductive toxicity and on October 1, 1992 for cancer.

Nutraceutical said it intends to vigorously contest the suit, which it said lacks merit. The company has reported that its Toddler Supreme protein supplement’s ingredient levels comply with applicable laws and regulations and don’t pose any safety risk to consumers, based on an opinion from a former FDA toxicologist. An issue will be if the levels meet the safe harbor provisions for lead, which would preclude the requirements for a Prop 65 warning. Prop 65 safe harbors do not always align with FDA standards.  The no significant risk level (“safe harbor”) for a cancer warning regarding lead is 15 ug/day (oral exposure). The maximum allowable dose level (“safe harbor”) for a reproductive toxicity warning regarding lead is 0.5 ug/day.

Claims Under CA Consumer Protection Laws

The complaint further alleges that due to the excess levels of lead, the products are adulterated within the meaning of the California Sherman Food, Drug and Cosmetic laws and therefore violates the unlawful prong of CA Bus. & Prof. Code section 17200. The false and misleading statements  of the two companies are alleged to also violate  CA Bus. & Prof. Code sections 17200 and 17500 in the following ways:

  • With respect to Graceleigh, by asserting that its ingredients in Sammy’s milk are “selected for purity” and provide “clean nutrition.”
  • With respect to Nutraceutical, by asserting that its Peaceful Planet product is “CLEAN” and “PURE.”

The State has requested that the court award both injunctive relief and civil penalties (Prop 65 statute calls for $2500 per violation).

We will continue to follow this case and other actions in California related to the continued assault on lead contamination of consumer and children’s products.

 

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
Read more on California legal updates on our California jurisdiction page.

CPSC Finalizes Ban on Certain Children’s Toys and Child Care Articles

On October 27, 2017, the U.S. Consumer Product Safety Commission (“CPSC”) issued a final rule prohibiting children’s toys and child care articles that contain concentrations of more than 0.1 percent of certain phthalates.

What’s Prohibited

The final rule states children’s toys and child care articles containing concentrations of more than 0.1 percent of diisononyl phthalate (“DINP”), diisobutyl phthalate (“DIBP”), di-n-pentyl phthalate (“DPENP”), di-n-hexyl phthalate (“DHEXP”), and dischyclohexyl phthalate (“DCHP”) are prohibited.

Section 108 of the Consumer Product Safety Improvement Act (“CPSIA”) prohibits the manufacture for sale, offer for sale, distribution in commerce, or importation into the U.S. of any children’s toy or child care article that contains these concentrations of certain phthalates.  Children’s toys include consumer products designed or intended by the manufacturer for a child 12 years or younger for use by the child when the child plays.  A child care article is a consumer product designed or intended by the manufacturer to facilitate sleep or the feeding of children age 3 and younger, or to help such children with sucking or teething.

What Are Phthalates

The most common phthalate, DINP, is added to some plastics to make them flexible and is commonly found in automobile interiors, wire and cable insulation, gloves, tubing, garden hoses, and shoes.  DINP is also found in flexible vinyl materials that are used in the production of bedding, garments, outdoor products such as tents and book binders.  Non-PVC or vinyl products include inks, adhesives, sealants, paints and lacquers.  DINP is also a listed substance known to cause cancer under California’s Proposition 65 and products must provide a warning about exposure.

The CPSC determined that because DIBP, DPENP, DHEXP, and DCHP aren’t widely used, few manufacturers will be impacted and need to reformulate their products.  Examples of products containing these phthalates are coating products, fillers, plasters, binding agents, paints, adhesives,

Who’s Affected

The final rule expanded the interim rule concerning DINP to cover all children’s toys, not just those that can be placed in a child’s mouth.  Children’s toys that can be placed in a child’s mouth and child care articles containing more than 0.1 percent of DINP have been prohibited since 2009.  Manufacturers won’t have to reformulate products in these categories.  Only manufacturers of children’s toys that cannot be placed in a child’s mouth will be affected by the final rule.

The final rule applies to both domestic manufacturers and importers and will not be a barrier to international trade.  The prohibition involving DINP applies regardless of the origin of the DINP or the phthalate formulation used.  Children’s toys and child care articles containing DINP in concentrations greater than 0.1 percent are prohibited even if DINP was not intentionally added.

The final rule becomes effective April 25, 2018 and applies to products manufactured or imported on or after that date.

This post was written by Ayako Hobbs of Squire Patton Boggs (US) LLP., © Copyright 2017
For more legal analysis go to The National Law Review

Sears Seeks to Modify FTC Order on Online Tracking

In 2009, Sears Holding Management settled with the Federal Trade Commission (FTC) over allegations that the company’s online tracking activity exceeded what they told consumers. Now, Sears has submitted a petition requesting that the FTC reopen and modify its settlement order, arguing that changing technology since 2009 has made the order’s definition of “tracking applications” too broad and has put them at a competitive disadvantage.

The 2009 FTC complaint charged that Sears “failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application, telling consumers that the software would track their “online browsing,” without telling them that it also collected information from third-party websites consumers visited such as their shopping cart information, online bank statements, and drug prescription records. Sears was required to stop collecting data from participating consumers and to destroy what they’d collected.

Sears now argues that the definition of “tracking application” in the FTC’s order now applies to most software on nearly all platforms, making them “out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy.” The definition of tracking applications is so broad, Sears claims, that it “encompasses all of Sears’ current mobile apps, forcing Sears to handle disclosures differently than other companies with mobile apps and disadvantaging Sears in the marketplace.” Sears claims that modification of the order would allow the retailer to align with current tracking practices used by their competitors.

 This post was written by Sheila A. Millar ,Tracy P. Marshall Nathan A. Cardon of Keller and Heckman LLP.,© 2017
For more legal analysis, go to The National Law Review 

So…Everyone’s Been Compromised? What To Do In The Wake of the Equifax Breach

By now, you’ve probably heard that over 143 million records containing highly sensitive personal information have been compromised in the Equifax data breach. With numbers exceeding 40% of the population of the United States at risk, chances are good that you or someone you know – or more precisely, many people you know – will be affected. But until you know for certain, you are probably wondering what to do until you find out.

To be sure, there has been a lot of confusion. Many feel there was an unreasonable delay in reporting the breach. And now that it has been reported, some have suggested that people who sign up with the Equifax website to determine if they were in the breach might be bound to an arbitration clause and thereby waive their right to file suit if necessary later (although Equifax has since said that is not the case). Others have reported that the “personal identification number” (PIN) provided by Equifax for those who do register with the site is nothing more than a date and time stamp, which could be subject to a brute-force attack, which is not necessarily reassuring when dealing with personal information. Still others have reported that the site itself is subject to vulnerabilities such as cross-site scripting (XSS), which could give hackers another mechanism to steal personal information. And some have even questioned the validity of the responses provided by Equifax when people query to see if they might have been impacted.

In all the chaos, it’s hard to know how to best proceed. Fortunately, you have options other than using Equifax’s website.

1. Place a Credit Freeze

Know that if you are a victim of the breach, you will be notified by Equifax eventually. In the meantime, consider placing a credit freeze on your accounts with the three major credit reporting bureaus. All three major credit reporting bureaus allow consumers to freeze their credit reports for a small fee, and you will need to place a freeze with each credit bureau. If you are the victim of identity fraud, or if your state’s law mandates, a credit freeze can be implemented without charge. In some states, you may incur a small fee. Lists of fees for residents of various states can be found at the TransUnionExperian, and Equifax websites. Placing a freeze on your credit reports will restrict access to your information and make it more difficult for identity thieves to open accounts in your name. This will not affect your credit score but there may be a second fee associated with lifting a credit freeze, so it is important to research your options before proceeding. Also, know that you will likely face a delay period before a freeze can be lifted, so spur-of-the-moment credit opportunities might suffer.

Here is information for freezing your credit with each credit bureau:

Equifax Credit Freeze

  • You may do a credit freeze online or by certified mail (return receipt requested) to:

            Equifax Security Freeze

            P.O. Box 105788

            Atlanta, GA 30348

  • To unfreeze, you must do a temporary thaw by regular mail, online or by calling 1-800-685-1111 (for New York residents call 1-800-349-9960).

Experian Credit Freeze

  • You may do a credit freeze online, by calling 1-888-EXPERIAN (1-888-397-3742) or by certified mail (return receipt requested) to:

            Experian

            P.O. Box 9554

            Allen, TX 75013

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-397-3742.

TransUnion Credit Freeze

  • You may do a credit freeze online, by phone (1-888-909-8872) or by certified mail (return receipt requested) to:

            TransUnion LLC

            P.O. Box 2000

            Chester, PA 19016

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-909-8872.

After you complete a freeze, make sure you have a pen and paper handy because you will be given a PIN code to keep in a safe place.

2. Obtain a Free Copy of Your Credit Report

Consider setting up a schedule to obtain a copy of your free annual credit report from each of the reporting bureaus on a staggered basis. By obtaining and reviewing a report from one of the credit reporting bureaus every three or four months, you can better position yourself to respond to unusual or fraudulent activity more frequently. Admittedly, there is a chance that one of the reporting bureaus might miss an account that is reported by the other two but the benefit offsets the risk.

3. Notify Law Enforcement and Obtain a Police Report

If you find you are the victim of identity fraud (that is, actual fraudulent activity – not just being a member of the class of affected persons), notify your local law enforcement agency to file a police report. Having a police report will help you to challenge fraudulent activity, will provide you with verification of the fraud to provide to credit companies’ fraud investigators, and will be beneficial if future fraud occurs. To that end, be aware that additional fraud may arise closer to the federal tax filing deadline and having a police report already on file can help you resolve identity fraud problems with the Internal Revenue Service if false tax returns are filed under your identity.

4. Obtain an IRS IP PIN

Given the nature of the information involved in the breach, an additional option for individuals residing in Florida, Georgia, and Washington, D.C. is to obtain an IRS IP PIN, which is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of Social Security numbers in federal tax filings. An IP PIN helps the IRS verify a taxpayer’s identity and accept their electronic or paper tax return. When a taxpayer has an IP PIN, it prevents someone else from filing a tax return with the taxpayer’s SSN.

If a return is e-filed with a taxpayer’s SSN and an incorrect or missing IP PIN, the IRS’s system will reject it until the taxpayer submits it with the correct IP PIN or the taxpayer files on paper. If the same conditions occur on a paper filed return, the IRS will delay its processing and any refund the taxpayer may be due for the taxpayer’s protection while the IRS determines if it is truly the taxpayer’s.

Information regarding eligibility for an IRS IP PIN and instructions is available here and to access the IRS’s FAQs on the issue, please go here.

Conclusion

Clearly, the Equifax breach raises many issues about which many individuals need to be concerned – and the pathway forward is uncertain at the moment. But by being proactive, being cautious, and taking appropriate remedial measures available to everyone, you can better position yourself to avoid fraud, protect your rights, and mitigate future fraud that might arise.

 This post was written by Justin L. Root Sara H. Jodka of Dickinson Wright PLLC © Copyright 2017
For more legal news go to The National Law Review

CFPB Proposes Additional Changes to the Prepaid Rule

On June 15, 2017, the CFPB announced that it is proposing for public comment certain modifications to its prepaid rule. The rule, which was issued in final form in October 2016, limits consumers’ losses for lost and stolen prepaid cards, requires financial institutions to investigate errors, and includes enhanced disclosure provisions.

The final rule unexpectedly granted Regulation E error resolution rights to consumers holding unregistered prepaid accounts, a provision that was not part of the CFPB’s original proposal. Financial institutions criticized this aspect of the final rule, arguing that providing error resolution rights to holders of unregistered accounts would invite and open new avenues for fraud. Financial institutions also argued that it would be difficult, if not impossible, to investigate alleged errors if they have little to no information about the purchasing customer. As a result, financial institutions have claimed that, if the CFPB retains error resolution rights for unregistered prepaid accounts, they would no longer provide immediate access to funds on such accounts.

To address these concerns, the current proposal would require consumers to register their prepaid accounts to qualify for Regulation E error resolution rights, including the right to recoup funds for lost or stolen cards. Under the CFPB’s proposal, however, Regulation E error resolution rights would apply to registered accounts even if the card was lost or stolen before the consumer completed the registration process.

The proposal also requests comment on provisions that would create an exception for certain digital wallets. Under the proposed exception, customers using digital wallets linked to a traditional credit card product would continue to receive Regulation Z’s open-end credit protections and would not receive the protections of the credit-related provisions of the prepaid rule.

As discussed in a prior post, in April 2017, the CFPB extended the compliance date for the prepaid rule from October 1, 2017, to April 1, 2018. In the latest proposal, the CFPB requests comment on whether it should extend the compliance date even further.

The proposal also includes other adjustments and clarifications regarding the definition of a prepaid account, pre-acquisition disclosure requirements, submission of prepaid account agreements to the CFPB, and unsolicited issuance of access devices. Along with its proposal, the CFPB has released an updated version if its Prepaid Rule Small Entity Compliance Guide.

Comments on the CFPB’s proposal are due 45 days after publication in the Federal Register.

This post was written by Lucille C. Bartholomew of Covington & Burling LLP.

Coming Soon to a Lawbook Near You – New Cosmetic Requirements

Cosmetics, Personal Care Products

Back in April 2015, Senators Dianne Feinstein (D-CA) and Susan Collins (R-ME) introduced the Personal Care Products Safety Act (S.1014).  More recently, on September 22, 2016, the Senate Health, Education, Labor, and Pensions Committee received testimony from Senators Feinstein and Collins in support of this bipartisan legislation.  The HELP Committee also heard from experts in the cosmetics industry about product developments and health standards.

Witnesses in favor of the Personal Care Products Safety Act stated that the FDA has not done enough to ban endocrine-disrupting chemicals in cosmetic products and that industry-financed review programs should not substitute government regulatory programs in collecting chemical toxicity data.  They contrasted FDA’s inability to ban products unless they are “adulterated” with the more expansive authorities of similar regulatory agencies in Canada, Japan, and the European Union.

Witnesses against the proposed legislation described chemical toxicity testing procedures already place, such as the Human Repeat Insult Patch Test (HRIPT).  They also noted the proposed legislation would have a disproportionate impact on smaller companies, as stricter national standards for the entire industry are expected to increase the costs of producing and distributing all kinds of personal care and cosmetic products.

As we described last year when the bill was first introduced, the Personal Care Products Safety Act would introduce significant changes to the current U.S. regulatory system for cosmetics.  Among other provisions, the bill would require cosmetic manufacturers to register with FDA annually and submit ingredient information to the agency, and for larger firms registration would be accompanied by a user fee.  Such a registration and user fee system would be similar to what is currently mandated for drug and device manufacturers.  Registered cosmetic firms would also be required to comply with Good Manufacturing Practices for their products, analogous to what drug and device companies must comply with today; such “cosmetic GMPs” would need to be developed by FDA through notice-and-comment rulemaking so that industry and other stakeholders have an opportunity to provide feedback before the rules are finalized.  In addition, S. 1014 would give FDA mandatory recall authority over cosmetics (an authority that the agency only recently obtained for food products under the Food Safety Modernization Act of 2011), and cosmetic firms would be required to report serious adverse events to FDA within 15 business days of becoming aware of the event.

Despite some opposition, congressional aides say the proposed legislation is likely to see movement next year.  FDA, too, welcomes the opportunity to increase its regulatory power over the cosmetics and personal care products.  Citing recent adverse event reports about WEN hair products, the Agency has stressed the need to do away with voluntary reporting for adverse events so that companies are required to report serious adverse events as they become aware of them.  FDA also has raised concerns about studies done by the industry self-regulatory process called Cosmetic Ingredient Review (CIR), claiming they are summaries of voluntary data rather than analyses of raw data from clinical trials.  Overall, therefore, FDA is supportive of the Senate’s effort to expand the agency’s cosmetic oversight power.  Many industry members also support the bipartisan compromise legislation, as do consumer protection groups who view some strengthening of the U.S. regulatory system as “better than nothing.”

Fatema Ghasletwala contributed to this article.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Upcoming European Chemical Restrictions in Apparel Raise Concerns

European Chemical RestrictionsThe European Commission intends to ban the use in apparel of hundreds of Cat. 1A and 1B carcinogenic, mutagenic and toxic for reproduction substances (“CMRs”) within the next year. To do so, the Commission expects to use the so-called “fast-track” procedure to ban CMRs under Regulation 1907/2006 (“REACH Regulation”), instead of the standard procedure for prohibiting substances. Historically, the fast-track procedure has been reserved for mixtures that contain CMRs and are intended for the general public.  The Commission has indicated that its proposal to ban the use of CMRs in apparel is a “test-case” of its intention to also ban Cat. 1A and 1B CMRs in articles (i.e., objects) intended for consumers on a regular basis in the near future.  This fast-track procedure allows less scientific input from the European Chemicals Agency (“ECHA”) and industry, and the related restrictions would create significant barriers to international trade.

“Standard” vs. “Fast-Track” Procedure

Title VIII of the REACH Regulation empowers the European Commission to restrict the use in mixtures (e.g., inks, paints) and articles (e.g., apparel) of substances that pose an unacceptable risk to human health or the environment.  Restricted substances are listed in Annex XVII of the Regulation, which is regularly updated.

There are two different procedures for adding new restrictions: the “regular” and the “fast-track” procedure. In both cases, the Commission proposes the restrictions, and its final proposal is then adopted through “comitology” (i.e., a process involving the input of Member States).  The road towards the final Commission proposal, however, is very different for each procedure:

  • Standard procedure: The standard procedure is generally highly regarded for the sound scientific input it gathers. Articles 69 – 73 of the REACH Regulation include important steps, such as ECHA’s or a Member State’s preparation of an Annex XV dossier analyzing the restrictions, assessments by the Agency’s Risk Assessment Committee (“RAC”) and Socio-Economic Assessment Committee (“SEAC”), and consultation of the Forum for Exchange of Information on Enforcement (“Forum”).
  • Fast-Track Procedure: Article 68(2) of the REACH Regulation, however, empowers the Commission to ban the use of substances that are classified as Cat. 1A or 1B CMRs in mixtures and articles that could be used by consumers without the preparation of a dossier, the opinions of the RAC and SEAC or the consultation of the Forum. As the Commission recognized in its Article 68(2) Paper of 2014, the legislation provides little to no guidance on the use of this procedure.

Indeed, the fast-track procedure was originally intended, and until now has been used solely, to restrict the use of mixtures intended for consumers that contain Cat. 1A or 1B CMRs in concentrations above specific thresholds. Entries 28 to 30 of Annex XVII contain the general ban for mixtures containing Cat. 1A and 1B CMRs, and the Commission has regularly updated them by amending their Appendixes.

The procedure was historically intended for mixtures due to the potential high exposure of consumers using them. In contrast, there is scientific uncertainty on the risk of exposure of consumers to CMRs contained in articles.  As the Commission recognizes in its Article 68(2) Paper, the “main difference between articles and substances and mixtures is that there might be cases where there is no or very limited possibility of exposure of consumers to a CMR substance contained in an article.

The Proposed CMR Restrictions

The Commission’s long term strategy is to use the REACH fast-track procedure to restrict the use of Cat. 1A and 1B CMRs in a broad range of consumer products. The upcoming ban in apparel is intended as a “test-case”.

Following concerns raised by the industry, the Commission recently announced that it intends to restrict the use of Cat. 1A and 1B CMRs in textiles in two phases. First, it will restrict CMRs in textiles that are in direct contact with the skin.  This concerns primarily apparel, but also products such as footwear and bed linen.  We understand that these restrictions could be adopted by spring or summer of 2017.

Second, the Commission will restrict Cat. 1A and 1B CMRs in textiles that are not in direct contact with the skin, such as accessories (e.g., buttons), floor coverings, and carpets.  The Commission will not start this second phase until it presents its final proposal for textiles that are in direct contact with the skin.

It is still unclear which Cat. 1A and 1B CMRs the Commission will target. Initially, it had proposed to restrict 286 CMRs.  The Commission should only restrict those substances for which there are validated detection and measurement methods.

Analysis of the Planned Restrictions

The Commission’s initial proposal to restrict no less than 286 CMRs in a wide category of textile products raises significant concerns. These include:

Duplication: Of the CMRs that the Commission intends to restrict under the fast-track procedure, several are already subject to other restrictions in the REACH Regulation. The resulting double bans or restrictions might create confusion and duplication. The Commission indicated last June that it is aware of this issue and that it “is committed to avoid double regulation for the same substance and use.”

  • Trade implications: Extensive restrictions could create unnecessary barriers to trade and violate the EU’s commitments under the Agreements of the World Trade Organization. The apparel industry is a global industry; a rapidly-imposed ban on CMRs in apparel may lead operators in this sector to temporarily or permanently stop marketing certain products in the EU.
  • Socio-economic impact: It is questionable whether the Commission has sufficiently considered the cost of compliance with the upcoming restrictions. Widespread and simultaneous restrictions may represent a significant burden for industry, including numerous small and medium-sized enterprises (“SMEs”), and increase the price of apparel for consumers.

Next Steps

What lies ahead? The Commission has agreed to gather additional expert input over the next few months.  This will include input from the Forum, ECHA, and a group of experts, including industry representatives.  Subsequently, the Commission will open its proposal for a public consultation, likely by the end of 2016 or early 2017.  Once this public consultation is closed, the Commission will adopt its final proposal.

Although much remains to be decided, it is clear that a ban of hundreds of CMRs in all skin contact textiles will significantly affect apparel and footwear companies that market their goods in the EU and EEA. In the mid-long term, the Commission’s plans will likely also have a significant impact on the wider global textile and consumer goods industry.

ARTICLE BY Charlotte Ryckman of Covington & Burling LLP
Roberto Yunquera Sehwani, a Stagiaire at Covington & Burling LLP and attends the Universidad Autónoma de Madrid, also contributed to this post.

© 2016 Covington & Burling LLP

Massive Consumer Product Safety Commission IKEA Recall Leaked to Press by “CPSC Source” Prior to Official Agency Announcement

IKEA recallToday the U.S. Consumer Product Safety Commission (“CPSC”) and Health Canada announced a massive joint recall with IKEA involving over 35 million pieces of furniture that can pose a tip over hazard to small children. While we would normally write about the recall itself, a troubling development has caught our attention.  A CPSC employee prematurely leaked the recall to staff reporter Tricia Nadolny at the Philadelphia Enquirer.

The CPSC and IKEA officially announced the recall this morning, but the Philadelphia Enquirer prematurely broke the story yesterday afternoon. The reporter confirmed in the story that her source works for the CPSC and did not have clearance to discuss the recall publicly. Additionally, the story included quotes from consumer advocates and other interested parties reacting to the recall—indicating that the reporter had the information for a decent amount of time prior to publishing the story.

After the Enquirer article was published, multiple other media outlets began reporting the recall. This likely put IKEA (and the CPSC) in an incredibly difficult situation of having to quickly make decisions about the release of information about the recall. For companies and legal counsel negotiating a recall—especially one of this magnitude—this is a nightmare scenario.

Even if a company has a contingency plan in the event a recall is leaked early (something we usually recommend for higher profile recalls), the carefully negotiated messaging and CPSC agreed rollout of the recall will have been thrown out the window and replaced by the leaked information. The company will be forced to scramble to respond to media questions while also not spoiling the originally planned announcement.

Additionally, and even more problematic, consumers who may have recalled units will start calling and emailing the company before they know the company’s official 800 number to call and before the company has sufficient staff to start fielding those calls. With over 29 million units involved in this specific recall, that could add up to quite a lot of phone calls and emails.

There are many compelling reasons why the CPSC and companies agree to not only the content of a recall, but also its timing. For a recall of this magnitude to be leaked to the media is a very troublesome precedent and cause for concern to companies negotiating higher profile recalls with the CPSC. Companies have not historically had much to fear in terms of recall information leaking from the agency, but this development potentially calls that into question.

Not only is it a violation of CPSC’s own statutes and regulations for recall information to be prematurely leaked to the press (and potentially could lead to employee sanctions), but it is also potentially disruptive to the effectiveness of the recall itself. The CPSC should take steps to ensure such leaks do not occur in the future.

ARTICLE BY Matthew R. Howsare & Charles A. Samuels of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.