So…Everyone’s Been Compromised? What To Do In The Wake of the Equifax Breach

By now, you’ve probably heard that over 143 million records containing highly sensitive personal information have been compromised in the Equifax data breach. With numbers exceeding 40% of the population of the United States at risk, chances are good that you or someone you know – or more precisely, many people you know – will be affected. But until you know for certain, you are probably wondering what to do until you find out.

To be sure, there has been a lot of confusion. Many feel there was an unreasonable delay in reporting the breach. And now that it has been reported, some have suggested that people who sign up with the Equifax website to determine if they were in the breach might be bound to an arbitration clause and thereby waive their right to file suit if necessary later (although Equifax has since said that is not the case). Others have reported that the “personal identification number” (PIN) provided by Equifax for those who do register with the site is nothing more than a date and time stamp, which could be subject to a brute-force attack, which is not necessarily reassuring when dealing with personal information. Still others have reported that the site itself is subject to vulnerabilities such as cross-site scripting (XSS), which could give hackers another mechanism to steal personal information. And some have even questioned the validity of the responses provided by Equifax when people query to see if they might have been impacted.

In all the chaos, it’s hard to know how to best proceed. Fortunately, you have options other than using Equifax’s website.

1. Place a Credit Freeze

Know that if you are a victim of the breach, you will be notified by Equifax eventually. In the meantime, consider placing a credit freeze on your accounts with the three major credit reporting bureaus. All three major credit reporting bureaus allow consumers to freeze their credit reports for a small fee, and you will need to place a freeze with each credit bureau. If you are the victim of identity fraud, or if your state’s law mandates, a credit freeze can be implemented without charge. In some states, you may incur a small fee. Lists of fees for residents of various states can be found at the TransUnionExperian, and Equifax websites. Placing a freeze on your credit reports will restrict access to your information and make it more difficult for identity thieves to open accounts in your name. This will not affect your credit score but there may be a second fee associated with lifting a credit freeze, so it is important to research your options before proceeding. Also, know that you will likely face a delay period before a freeze can be lifted, so spur-of-the-moment credit opportunities might suffer.

Here is information for freezing your credit with each credit bureau:

Equifax Credit Freeze

  • You may do a credit freeze online or by certified mail (return receipt requested) to:

            Equifax Security Freeze

            P.O. Box 105788

            Atlanta, GA 30348

  • To unfreeze, you must do a temporary thaw by regular mail, online or by calling 1-800-685-1111 (for New York residents call 1-800-349-9960).

Experian Credit Freeze

  • You may do a credit freeze online, by calling 1-888-EXPERIAN (1-888-397-3742) or by certified mail (return receipt requested) to:

            Experian

            P.O. Box 9554

            Allen, TX 75013

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-397-3742.

TransUnion Credit Freeze

  • You may do a credit freeze online, by phone (1-888-909-8872) or by certified mail (return receipt requested) to:

            TransUnion LLC

            P.O. Box 2000

            Chester, PA 19016

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-909-8872.

After you complete a freeze, make sure you have a pen and paper handy because you will be given a PIN code to keep in a safe place.

2. Obtain a Free Copy of Your Credit Report

Consider setting up a schedule to obtain a copy of your free annual credit report from each of the reporting bureaus on a staggered basis. By obtaining and reviewing a report from one of the credit reporting bureaus every three or four months, you can better position yourself to respond to unusual or fraudulent activity more frequently. Admittedly, there is a chance that one of the reporting bureaus might miss an account that is reported by the other two but the benefit offsets the risk.

3. Notify Law Enforcement and Obtain a Police Report

If you find you are the victim of identity fraud (that is, actual fraudulent activity – not just being a member of the class of affected persons), notify your local law enforcement agency to file a police report. Having a police report will help you to challenge fraudulent activity, will provide you with verification of the fraud to provide to credit companies’ fraud investigators, and will be beneficial if future fraud occurs. To that end, be aware that additional fraud may arise closer to the federal tax filing deadline and having a police report already on file can help you resolve identity fraud problems with the Internal Revenue Service if false tax returns are filed under your identity.

4. Obtain an IRS IP PIN

Given the nature of the information involved in the breach, an additional option for individuals residing in Florida, Georgia, and Washington, D.C. is to obtain an IRS IP PIN, which is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of Social Security numbers in federal tax filings. An IP PIN helps the IRS verify a taxpayer’s identity and accept their electronic or paper tax return. When a taxpayer has an IP PIN, it prevents someone else from filing a tax return with the taxpayer’s SSN.

If a return is e-filed with a taxpayer’s SSN and an incorrect or missing IP PIN, the IRS’s system will reject it until the taxpayer submits it with the correct IP PIN or the taxpayer files on paper. If the same conditions occur on a paper filed return, the IRS will delay its processing and any refund the taxpayer may be due for the taxpayer’s protection while the IRS determines if it is truly the taxpayer’s.

Information regarding eligibility for an IRS IP PIN and instructions is available here and to access the IRS’s FAQs on the issue, please go here.

Conclusion

Clearly, the Equifax breach raises many issues about which many individuals need to be concerned – and the pathway forward is uncertain at the moment. But by being proactive, being cautious, and taking appropriate remedial measures available to everyone, you can better position yourself to avoid fraud, protect your rights, and mitigate future fraud that might arise.

 This post was written by Justin L. Root Sara H. Jodka of Dickinson Wright PLLC © Copyright 2017
For more legal news go to The National Law Review

CFPB Proposes Additional Changes to the Prepaid Rule

On June 15, 2017, the CFPB announced that it is proposing for public comment certain modifications to its prepaid rule. The rule, which was issued in final form in October 2016, limits consumers’ losses for lost and stolen prepaid cards, requires financial institutions to investigate errors, and includes enhanced disclosure provisions.

The final rule unexpectedly granted Regulation E error resolution rights to consumers holding unregistered prepaid accounts, a provision that was not part of the CFPB’s original proposal. Financial institutions criticized this aspect of the final rule, arguing that providing error resolution rights to holders of unregistered accounts would invite and open new avenues for fraud. Financial institutions also argued that it would be difficult, if not impossible, to investigate alleged errors if they have little to no information about the purchasing customer. As a result, financial institutions have claimed that, if the CFPB retains error resolution rights for unregistered prepaid accounts, they would no longer provide immediate access to funds on such accounts.

To address these concerns, the current proposal would require consumers to register their prepaid accounts to qualify for Regulation E error resolution rights, including the right to recoup funds for lost or stolen cards. Under the CFPB’s proposal, however, Regulation E error resolution rights would apply to registered accounts even if the card was lost or stolen before the consumer completed the registration process.

The proposal also requests comment on provisions that would create an exception for certain digital wallets. Under the proposed exception, customers using digital wallets linked to a traditional credit card product would continue to receive Regulation Z’s open-end credit protections and would not receive the protections of the credit-related provisions of the prepaid rule.

As discussed in a prior post, in April 2017, the CFPB extended the compliance date for the prepaid rule from October 1, 2017, to April 1, 2018. In the latest proposal, the CFPB requests comment on whether it should extend the compliance date even further.

The proposal also includes other adjustments and clarifications regarding the definition of a prepaid account, pre-acquisition disclosure requirements, submission of prepaid account agreements to the CFPB, and unsolicited issuance of access devices. Along with its proposal, the CFPB has released an updated version if its Prepaid Rule Small Entity Compliance Guide.

Comments on the CFPB’s proposal are due 45 days after publication in the Federal Register.

This post was written by Lucille C. Bartholomew of Covington & Burling LLP.

Coming Soon to a Lawbook Near You – New Cosmetic Requirements

Cosmetics, Personal Care Products

Back in April 2015, Senators Dianne Feinstein (D-CA) and Susan Collins (R-ME) introduced the Personal Care Products Safety Act (S.1014).  More recently, on September 22, 2016, the Senate Health, Education, Labor, and Pensions Committee received testimony from Senators Feinstein and Collins in support of this bipartisan legislation.  The HELP Committee also heard from experts in the cosmetics industry about product developments and health standards.

Witnesses in favor of the Personal Care Products Safety Act stated that the FDA has not done enough to ban endocrine-disrupting chemicals in cosmetic products and that industry-financed review programs should not substitute government regulatory programs in collecting chemical toxicity data.  They contrasted FDA’s inability to ban products unless they are “adulterated” with the more expansive authorities of similar regulatory agencies in Canada, Japan, and the European Union.

Witnesses against the proposed legislation described chemical toxicity testing procedures already place, such as the Human Repeat Insult Patch Test (HRIPT).  They also noted the proposed legislation would have a disproportionate impact on smaller companies, as stricter national standards for the entire industry are expected to increase the costs of producing and distributing all kinds of personal care and cosmetic products.

As we described last year when the bill was first introduced, the Personal Care Products Safety Act would introduce significant changes to the current U.S. regulatory system for cosmetics.  Among other provisions, the bill would require cosmetic manufacturers to register with FDA annually and submit ingredient information to the agency, and for larger firms registration would be accompanied by a user fee.  Such a registration and user fee system would be similar to what is currently mandated for drug and device manufacturers.  Registered cosmetic firms would also be required to comply with Good Manufacturing Practices for their products, analogous to what drug and device companies must comply with today; such “cosmetic GMPs” would need to be developed by FDA through notice-and-comment rulemaking so that industry and other stakeholders have an opportunity to provide feedback before the rules are finalized.  In addition, S. 1014 would give FDA mandatory recall authority over cosmetics (an authority that the agency only recently obtained for food products under the Food Safety Modernization Act of 2011), and cosmetic firms would be required to report serious adverse events to FDA within 15 business days of becoming aware of the event.

Despite some opposition, congressional aides say the proposed legislation is likely to see movement next year.  FDA, too, welcomes the opportunity to increase its regulatory power over the cosmetics and personal care products.  Citing recent adverse event reports about WEN hair products, the Agency has stressed the need to do away with voluntary reporting for adverse events so that companies are required to report serious adverse events as they become aware of them.  FDA also has raised concerns about studies done by the industry self-regulatory process called Cosmetic Ingredient Review (CIR), claiming they are summaries of voluntary data rather than analyses of raw data from clinical trials.  Overall, therefore, FDA is supportive of the Senate’s effort to expand the agency’s cosmetic oversight power.  Many industry members also support the bipartisan compromise legislation, as do consumer protection groups who view some strengthening of the U.S. regulatory system as “better than nothing.”

contributed to this article.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Upcoming European Chemical Restrictions in Apparel Raise Concerns

European Chemical RestrictionsThe European Commission intends to ban the use in apparel of hundreds of Cat. 1A and 1B carcinogenic, mutagenic and toxic for reproduction substances (“CMRs”) within the next year. To do so, the Commission expects to use the so-called “fast-track” procedure to ban CMRs under Regulation 1907/2006 (“REACH Regulation”), instead of the standard procedure for prohibiting substances. Historically, the fast-track procedure has been reserved for mixtures that contain CMRs and are intended for the general public.  The Commission has indicated that its proposal to ban the use of CMRs in apparel is a “test-case” of its intention to also ban Cat. 1A and 1B CMRs in articles (i.e., objects) intended for consumers on a regular basis in the near future.  This fast-track procedure allows less scientific input from the European Chemicals Agency (“ECHA”) and industry, and the related restrictions would create significant barriers to international trade.

“Standard” vs. “Fast-Track” Procedure

Title VIII of the REACH Regulation empowers the European Commission to restrict the use in mixtures (e.g., inks, paints) and articles (e.g., apparel) of substances that pose an unacceptable risk to human health or the environment.  Restricted substances are listed in Annex XVII of the Regulation, which is regularly updated.

There are two different procedures for adding new restrictions: the “regular” and the “fast-track” procedure. In both cases, the Commission proposes the restrictions, and its final proposal is then adopted through “comitology” (i.e., a process involving the input of Member States).  The road towards the final Commission proposal, however, is very different for each procedure:

  • Standard procedure: The standard procedure is generally highly regarded for the sound scientific input it gathers. Articles 69 – 73 of the REACH Regulation include important steps, such as ECHA’s or a Member State’s preparation of an Annex XV dossier analyzing the restrictions, assessments by the Agency’s Risk Assessment Committee (“RAC”) and Socio-Economic Assessment Committee (“SEAC”), and consultation of the Forum for Exchange of Information on Enforcement (“Forum”).
  • Fast-Track Procedure: Article 68(2) of the REACH Regulation, however, empowers the Commission to ban the use of substances that are classified as Cat. 1A or 1B CMRs in mixtures and articles that could be used by consumers without the preparation of a dossier, the opinions of the RAC and SEAC or the consultation of the Forum. As the Commission recognized in its Article 68(2) Paper of 2014, the legislation provides little to no guidance on the use of this procedure.

Indeed, the fast-track procedure was originally intended, and until now has been used solely, to restrict the use of mixtures intended for consumers that contain Cat. 1A or 1B CMRs in concentrations above specific thresholds. Entries 28 to 30 of Annex XVII contain the general ban for mixtures containing Cat. 1A and 1B CMRs, and the Commission has regularly updated them by amending their Appendixes.

The procedure was historically intended for mixtures due to the potential high exposure of consumers using them. In contrast, there is scientific uncertainty on the risk of exposure of consumers to CMRs contained in articles.  As the Commission recognizes in its Article 68(2) Paper, the “main difference between articles and substances and mixtures is that there might be cases where there is no or very limited possibility of exposure of consumers to a CMR substance contained in an article.

The Proposed CMR Restrictions

The Commission’s long term strategy is to use the REACH fast-track procedure to restrict the use of Cat. 1A and 1B CMRs in a broad range of consumer products. The upcoming ban in apparel is intended as a “test-case”.

Following concerns raised by the industry, the Commission recently announced that it intends to restrict the use of Cat. 1A and 1B CMRs in textiles in two phases. First, it will restrict CMRs in textiles that are in direct contact with the skin.  This concerns primarily apparel, but also products such as footwear and bed linen.  We understand that these restrictions could be adopted by spring or summer of 2017.

Second, the Commission will restrict Cat. 1A and 1B CMRs in textiles that are not in direct contact with the skin, such as accessories (e.g., buttons), floor coverings, and carpets.  The Commission will not start this second phase until it presents its final proposal for textiles that are in direct contact with the skin.

It is still unclear which Cat. 1A and 1B CMRs the Commission will target. Initially, it had proposed to restrict 286 CMRs.  The Commission should only restrict those substances for which there are validated detection and measurement methods.

Analysis of the Planned Restrictions

The Commission’s initial proposal to restrict no less than 286 CMRs in a wide category of textile products raises significant concerns. These include:

Duplication: Of the CMRs that the Commission intends to restrict under the fast-track procedure, several are already subject to other restrictions in the REACH Regulation. The resulting double bans or restrictions might create confusion and duplication. The Commission indicated last June that it is aware of this issue and that it “is committed to avoid double regulation for the same substance and use.”

  • Trade implications: Extensive restrictions could create unnecessary barriers to trade and violate the EU’s commitments under the Agreements of the World Trade Organization. The apparel industry is a global industry; a rapidly-imposed ban on CMRs in apparel may lead operators in this sector to temporarily or permanently stop marketing certain products in the EU.
  • Socio-economic impact: It is questionable whether the Commission has sufficiently considered the cost of compliance with the upcoming restrictions. Widespread and simultaneous restrictions may represent a significant burden for industry, including numerous small and medium-sized enterprises (“SMEs”), and increase the price of apparel for consumers.

Next Steps

What lies ahead? The Commission has agreed to gather additional expert input over the next few months.  This will include input from the Forum, ECHA, and a group of experts, including industry representatives.  Subsequently, the Commission will open its proposal for a public consultation, likely by the end of 2016 or early 2017.  Once this public consultation is closed, the Commission will adopt its final proposal.

Although much remains to be decided, it is clear that a ban of hundreds of CMRs in all skin contact textiles will significantly affect apparel and footwear companies that market their goods in the EU and EEA. In the mid-long term, the Commission’s plans will likely also have a significant impact on the wider global textile and consumer goods industry.

ARTICLE BY Charlotte Ryckman of Covington & Burling LLP
Roberto Yunquera Sehwani, a Stagiaire at Covington & Burling LLP and attends the Universidad Autónoma de Madrid, also contributed to this post.

Massive Consumer Product Safety Commission IKEA Recall Leaked to Press by “CPSC Source” Prior to Official Agency Announcement

IKEA recallToday the U.S. Consumer Product Safety Commission (“CPSC”) and Health Canada announced a massive joint recall with IKEA involving over 35 million pieces of furniture that can pose a tip over hazard to small children. While we would normally write about the recall itself, a troubling development has caught our attention.  A CPSC employee prematurely leaked the recall to staff reporter Tricia Nadolny at the Philadelphia Enquirer.

The CPSC and IKEA officially announced the recall this morning, but the Philadelphia Enquirer prematurely broke the story yesterday afternoon. The reporter confirmed in the story that her source works for the CPSC and did not have clearance to discuss the recall publicly. Additionally, the story included quotes from consumer advocates and other interested parties reacting to the recall—indicating that the reporter had the information for a decent amount of time prior to publishing the story.

After the Enquirer article was published, multiple other media outlets began reporting the recall. This likely put IKEA (and the CPSC) in an incredibly difficult situation of having to quickly make decisions about the release of information about the recall. For companies and legal counsel negotiating a recall—especially one of this magnitude—this is a nightmare scenario.

Even if a company has a contingency plan in the event a recall is leaked early (something we usually recommend for higher profile recalls), the carefully negotiated messaging and CPSC agreed rollout of the recall will have been thrown out the window and replaced by the leaked information. The company will be forced to scramble to respond to media questions while also not spoiling the originally planned announcement.

Additionally, and even more problematic, consumers who may have recalled units will start calling and emailing the company before they know the company’s official 800 number to call and before the company has sufficient staff to start fielding those calls. With over 29 million units involved in this specific recall, that could add up to quite a lot of phone calls and emails.

There are many compelling reasons why the CPSC and companies agree to not only the content of a recall, but also its timing. For a recall of this magnitude to be leaked to the media is a very troublesome precedent and cause for concern to companies negotiating higher profile recalls with the CPSC. Companies have not historically had much to fear in terms of recall information leaking from the agency, but this development potentially calls that into question.

Not only is it a violation of CPSC’s own statutes and regulations for recall information to be prematurely leaked to the press (and potentially could lead to employee sanctions), but it is also potentially disruptive to the effectiveness of the recall itself. The CPSC should take steps to ensure such leaks do not occur in the future.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Breaking: CPSC Obtains Record $15.45 Million Civil Penalty in Settlement Agreement with Gree

Consumer Product Safety Commission SealThis morning, the U.S. Consumer Product Safety Commission (CPSC) announced that it has obtained a record-breaking $15.45 million civil penalty in a settlement agreement with Gree Electric Appliances of China, Hong Kong Gree Electric Appliances Sales Co. of Hong Kong, and Gree USA Sales of California (Gree) over dehumidifiers sold under 13 different brand names.  This civil penalty amount shatters the largest previous amount levied by the CPSC against a company, $4.3 million.

The amount of this civil penalty—the maximum permitted under the Consumer Product Safety Act (CPSA)—is consistent with a series of recent remarks made by CPSC Chairman Elliot Kaye.  In 2015, Kaye remarked at the annual ICPHSO product safety conference that he was directing staff to seek significantly higher civil penalties against companies for violations of the CPSA.  Last month, at the 2016 ICPHSO conference in Washington, D.C., Kaye doubled down (literally) by stating that he wanted to see “double digit” civil penalties based on certain fact patterns as that is what Congress intended when it increased the civil penalty ceiling in the Consumer Product Safety Improvement Act of 2008 (CPSIA).

According to the settlement agreement, the CPSC alleged that Gree did the following: (1) knowingly failed to report a defect and unreasonable risk of serious injury to the CPSC immediately with dehumidifiers sold under thirteen brand names; (2) knowingly made misrepresentations to the CPSC; (3) sold dehumidifiers bearing the UL safety certification mark knowing that the dehumidifiers did not meet UL flammability standards.  The CPSC alleged further that Gree’s subject dehumidifiers had a defect that caused them to overheat, and, on occasion, catch fire, causing a purported $4.5 million in property damage.

Gree denied the CPSC’s allegations and also set forth in the settlement agreement that it voluntarily notified the Commission in connection with the dehumidifiers, carried out a voluntary recall in cooperation with the Commission and acted to reduce the potential risk of injury.

In addition to paying the $15.4 million civil penalty to settle the CPSC’s charges, Gree has agreed to implement a stringent compliance program to ensure future compliance with the CPSA.  Such compliance programs have become common elements in civil penalty settlement agreements.

The vote to approve the settlement agreement was 4-1 in favor, with Commissioner Ann Marie Buerkle voting against.   Although voting in favor of the agreement, Commissioner Joe Mohorovic issued a statement expressing reservation that the public facing documents do not reveal enough detail (in Mohorovic’s words the “compelling facts”) for the regulated community to draw lessons.   Mohorovic has expressed these same concerns previously.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

True Green for True Blue: Blue Buffalo Promises $32 Million Settlement

Pet-food maker Blue Buffalo will pay $32 million to settle 13 consumer class action suits, the company announced last month.

The 13 class actions—which pet owners originally filed in California, Connecticut, Florida, Illinois, Louisiana, Massachusetts, Missouri, New York, Ohio, and South Carolina federal courts—were consolidated in the Eastern District of Missouri in October 2014.  The consolidated action centers on Blue Buffalo’s “True Blue Promise” labels, which allegedly appeared on all Blue Buffalo products.  Blue Buffalo’s True Blue Promise was that its brand of pet food contains “Only the Finest Natural Ingredients,” with

  • real meat first ingredients,

  • “NO Chicken or Poultry By-Product Meals,”

  • “NO Corn, Wheat or Soy,” and

  • “NO Artificial Preservatives, Colors or Flavors.”

These True Blue Promise claims were allegedly restated on the front and back labels of every Blue Buffalo product and in other Blue Buffalo promotional materials. The class action plaintiffs also asserted that they paid a higher price for Blue Buffalo’s products because of the True Blue Promise.

But according to the class action plaintiffs, independent tests showed that some Blue Buffalo products did, in fact, contain chicken and poultry by-products.  In addition, the tests indicated the presence of rice and corn in some products, including products from Blue Buffalo’s “Wilderness” and “Freedom” product lines, which were advertised as being grain-free.

Blue Buffalo denied any wrongdoing in entering into the settlement, stating that it agreed to the settlement to eliminate the uncertainties, burden and expense of further litigation. Under the terms of the deal, Blue Buffalo will pay the $32 million into a settlement fund.  From this fund, Blue Buffalo will pay its class member customers an amount of money based on the number of Blue Buffalo products they purchased during the class period, and subject to certain conditions.  Attorneys’ fees and costs will also be paid from the settlement fund.  The court has given the settlement agreement preliminary approval, and will hold a fairness hearing on May 19, 2016.  At that time, the court will decide whether to give the settlement final approval.

This case serves as a cautionary reminder of the potential liabilities of false advertising class actions. Nestle Purina, a competing pet food maker, commented that this $32 million settlement is the largest pet food class action settlement ever.  In May 2014, Nestle Purina filed a false advertising lawsuit against Blue Buffalo on the basis of similar claims.  That separate false advertising case against Blue Buffalo is ongoing before the same judge who presided over the consolidated consumer class actions, Judge Rodney W. Sippel.

© 2016 Proskauer Rose LLP.

Oh What Fun It Is To Ride . . . A Hoverboard? This Year’s Must-Have Holiday Gift Poses Potential Litigation Risks for Manufacturers

back to the future hoverboardIn 1989, the Back to the Future franchise made several fanciful predictions about 2015.  One prediction may now be coming true: hoverboards have hit the streets — sort of.  The currently-available hoverboards, as opposed to the Hollywood fantasy ones, are more properly described as hands-free, self-balancing scooters.  Fueled by viral videos and celebrity social media posts, these battery-powered scooters are quickly becoming the must-have gift of the holiday season.

As the popularity of these hoverboards increases, however, so too does the potential for claims against manufacturers and sellers.  Over the last three months, the Consumer Product Safety Commission (“CPSC”) has reportedly learned about nearly 20 separate injuries from hoverboard-related accidents, ranging from sprains and contusions to broken bones and at least one head injury.

While the CPSC has not taken any formal action in response to any of these injury reports, that could change based on recent news reports. In the past two weeks, there have been two separate reports of hoverboards spontaneously igniting and causing a fire. This type of potential hazard could capture the attention of consumers, manufacturers, and regulators alike.

In Louisiana, a family reportedly has sued a hoverboard manufacturer claiming that the hoverboard burst into flames while charging, destroying their home.  In Alabama, a man recently posted a video showing his hoverboard engulfed in flames after it allegedly caught fire while in use.   Although the CPSC has said that it has not yet received any reports of injuries due to hoverboard fires, it has reportedly announced that it is investigating the product line based on these fire-related complaints.

Despite these reports, the market for hoverboards shows no signs of slowing, particularly as children make their wish lists for the holiday season.   As manufacturers, distributors, and sellers rise to meet that growing demand, they also should plan to meet the accompanying regulatory and litigation risks that follow.

© 2015 Schiff Hardin LLP

What You Need to Know About the FCC’s July 10th Declaratory Ruling on the Telephone Consumer Protection Act (TCPA)

A sharply divided FCC late Friday issued its anticipated TCPA Declaratory Ruling and Order (the “Declaratory Ruling”). This document sets forth a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes.  While some of its statements raise interesting and in some cases imponderable questions and practical challenges, this summary analysis captures the FCC’s actions in key areas where many petitioners sought clarification or relief.  Certainly there will be more to say about these key areas and other matters as analysis of the Declaratory Ruling and consideration of options begins in earnest.  There will undoubtedly be appeals and petitions for reconsideration filed in the coming weeks.  Notably, except for some limited relief to some callers to come into compliance on the form or content of prior written consents, the FCC’s Order states that the new interpretations of the TCPA are effective upon the release date of the Declaratory Ruling.  Requests may be lodged, however, to stay its enforcement pending review.

Scope and Definition of an Autodialer

An important threshold question that various petitioners had asked the FCC to clarify was what equipment falls within the definition of an “automatic telephone dialing system” or “ATDS.”  The TCPA defines an ATDS as:

equipment which has the capacity

(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and

(B) to dial such numbers. 47 U.S.C. § 227(a)(1) (emphasis added).

Two recurring points of disagreement have been: (1) whether “capacity” refers to present or potential capacity, i.e., whether it refers to what equipment can do today, or what some modified version of that equipment could conceivably do tomorrow; and (2) whether “using a random or sequential number generator” should be read to limit the definition in any meaningful way.

Stating that a broad definition would be consistent with Congressional intent and would help “ensure that the restriction on autodialed calls not be circumvented,” the FCC concluded that “the TCPA’s use of ‘capacity’ does not exempt equipment that lacks the ‘present ability’ to dial randomly or sequentially.”  Rather, “the capacity of an autodialer is not limited to its current configuration but also includes its potential functionalities.”

The Declaratory Ruling stated that “little or no modern dialing equipment would fit the statutory definition of an autodialer” if it adopted a less expansive reading of the word “capacity.”  But as for whether any “modern dialing equipment” does not have the requisite “capacity,” the agency declined to say:

[W]e do not at this time address the exact contours of the “autodialer” definition or seek to determine comprehensively each type of equipment that falls within that definition that would be administrable industry-wide….  How the human intervention element applies to a particular piece of equipment is specific to each individual piece of equipment, based on how the equipment functions and depends on human intervention, and is therefore a case-by-case determination.

Indeed, although the Declaratory Ruling insisted that this interpretation has “outer limits” and does not “extend to every piece of malleable and modifiable dialing equipment,” the only example that that Declaratory Ruling offered was anything but “modern”:

[F]or example, it might be theoretically possible to modify a rotary-dial phone to such an extreme that it would satisfy the definition of “autodialer,” but such a possibility is too attenuated for us to find that a rotary-dial phone has the requisite “capacity” and therefore is an autodialer.

Finally, the FCC majority brushed off petitioners’ concerns that such a broad definition would apply to smartphones—not because it would be impossible to read that way, but because “there is no evidence in the record that individual consumers have been sued….”

Commissioner Pai’s dissent expressed concern that the FCC’s interpretation of the ATDS definition “transforms the TCPA from a statutory rifle-shot targeting specific companies that market their services through automated random or sequential dialing into an unpredictable shotgun blast covering virtually all communications devices.”  He also noted that even if smartphone owners have yet to be sued, such suits “are sure to follow….  Having opened the door wide, the agency cannot then stipulate restraint among those who would have a financial incentive to walk through it.”

Commissioner O’Rielly took issue with the FCC’s “refusal to acknowledge” the other half of the statutory definition, specifically that equipment “store or produce telephone numbers to be called, using a random or sequential number generator.”  47 U.S.C. § 227(a)(1).  “Calling off a list or from a database of customers … does not fit the definition,” he explained.  And as for the reading of the word “capacity,” the Commissioner stated that the FCC majority’s “real concern seems to be that … companies would game the system” by “claim[ing] that they aren’t using the equipment as an autodialer” but “secretly flipping a switch to convert it into one for purposes of making the calls.”  He explained that even if there had been examples of this in the regulatory record, “this could be handled as an evidentiary matter.  If a company can provide evidence that the equipment was not functioning as an autodialer at the time a call was made, then that should end the matter.”

Given the breadth of the FCC’s purported interpretation of ATDS, which clashes with the views of a number of courts in recent litigation and is replete with ambiguity, this portion of the Declaratory Ruling will most certainly be challenged.

Consent and Revocation of Consent

The Declaratory Ruling addressed the question of whether a person who has previously given consent to be called may revoke that consent and indicated that consumers have the ability to revoke consent in any “reasonable manner.”  As dissenting Commissioner Pai noted, this can lead to absurd results if consumers are entirely free to individually and idiosyncratically select their mode and manner of revocation, particularly for any such oral, in-store communication.  The Commissioner’s dissent asked ruefully whether the new regime would cause businesses to “have to record and review every single conversation between customers and employees….Would a harried cashier at McDonald’s have to be trained in the nuances of customer consent for TCPA purposes?……the prospects make one grimace.”

FCC Petitioner Santander had sought clarification of the ability of a consumer to revoke consent and alternatively, to allow the calling party to designate the methods to be used by a consumer to revoke previously provided consent.  In considering the TCPA’s overall purpose as a consumer protection statute, the FCC determined that the silence in the statute on the issue of revocation is most reasonably interpreted in favor of allowing consumers to revoke their consent to receive covered calls or texts.  The Declaratory Ruling found comfort both in other FCC decisions and in the common law right to revoke consent, which is not overridden by the TCPA.  The Declaratory Ruling stated that this interpretation imposes no new restriction on speech and established no new law.

The FCC noted that its prior precedent on the question of revocation was in favor of allowing consumer revocation “in any manner that clearly expresses a desire not to receive further messages, and that callers may not infringe on that ability by designating an exclusive means to revoke.”  Stating that consumers can revoke consent by “using any reasonable method,” the FCC determined that a caller seeking to provide exclusive means to register revocation requests would “place a significant burden on the called party.”  The Declaratory Ruling contains no serious discussion of the burdens placed on businesses by one-off individual revocations.   The FCC majority also rejected the argument that oral revocation would unnecessarily create many avoidable factual disputes, instead stating that “the well-established evidentiary value of business records means that callers have reasonable ways to carry their burden of proving consent.”

Reassigned Number “Safe Harbor”

There is perhaps no issue that garners more frustration among parties engaged in calling activities than potential TCPA liability for calls to reassigned numbers.  No matter how vigilant a caller is with respect to compliance, under the FCC’s preexisting and now expanded statements, it is impossible to eliminate the risk of exposure short of not calling anyone.  As explained in Commissioner O’Rielly’s Separate Statement: “numerous companies, acting in good faith to contact consumers that have consented to receive calls or texts, are exposed to liability when it turns out that numbers have been reassigned without their knowledge.”  This portion of the Declaratory Ruling will also most certainly be subject to challenges.

While relying on a number of flawed assumptions, the FCC: (1) rejected the sensible “intended recipient” interpretation of “called party”; (2) disregarded the fact that comprehensive solutions to addressing reassigned numbers do not exist; (3) adopted an unworkable and ambiguous “one-call exemption” for determining if a wireless number has been reassigned (a rule that constitutes “fake relief instead of a solution,” as explained by Commissioner O’Rielly); and (4) encouraged companies to include certain language in their agreements with consumers so that they can take legal action against consumers if they do not notify the companies when they relinquish their wireless phone numbers.

First, the FCC purported to clarify that the TCPA requires the consent of the “current subscriber” or “the non-subscriber customary user of the phone.”  It found that consent provided by the customary user of a cell phone may bind the subscriber.  The FCC declined to interpret “called party” as the “intended recipient,” as urged by a number of petitioners and commenters and held by some courts.

Second, the FCC quickly acknowledged and then set aside the significant fact that there exists no comprehensive public directory of reassigned number data provided by the carriers.  Instead, it seemed flummoxed by the purported scope of information accessible to companies to address the reassigned number issue.  The FCC suggested  that companies could improvise ways to screen for reassigned numbers (e.g., by manually dialing numbers and listening to voicemail messages to confirm identities or by emailing consumers first to confirm their current wireless phone numbers) and explained that “caller best practices can facilitate detection of reassignment before calls.”  Ignoring the reality of TCPA liability, the FCC explained that “[c]allers have a number of options available to them that, over time, may permit them to learn of reassigned numbers.” (emphasis added).

Third, the FCC purported to create an untenable “one-call exemption.”  The Declaratory Ruling explained “that callers who make calls without knowledge of reassignment and with a reasonable basis to believe they have valid consent to make the call should be able to initiate one call after reassignment as an additional opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.  If this one additional call does not yield actual knowledge of reassignment, we deem the caller to have constructive knowledge of such.”

One potentially helpful clarification made was the determination that porting a number from wireline to a wireless service is not to be treated as an action that revokes prior express consent, and thus the FCC stated that that prior consent may continue to be relied upon so long it is the same type of call for which consent was initially given.  The FCC agreed with commenters who had observed that if a consumer no longer wishes to get calls, then it is her right and responsibility to revoke that consent.  Unless and until that happens, however, the FCC stated that a caller may rely on previously provided consent to continue to make that same type of call.  Valid consent to be called as to a specified type of call continues, “absent indication from the consumer that he wishes to revoke consent.”   As wireline callers need not provide express consent to be autodialed, any party calling consumers would have to still be aware of the nature of the called number to determine whether appropriate consent to be called was present.

Finally, the FCC – which claims to be driven by consumer interests throughout its Declaratory Ruling – makes the suggestion that companies should require customers, through agreement, to notify them when they relinquish their wireless phone numbers and then initiate legal action against the prior holders of reassigned numbers if they fail to do so.  “Nothing in the TCPA or our rules prevents parties from creating, through a contract or other private agreement, an obligation for the person giving consent to notify the caller when the number has been relinquished.  The failure of the original consenting party to satisfy a contractual obligation to notify a caller about such a change [of a cell phone number] does not preserve the previously existing consent to call that number, but instead creates a situation in which the caller may wish to seek legal remedies for violation of that agreement.”

Treatment of Text Messaging and Internet-to-Phone Messaging

The Declaratory Ruling also addressed a number of issues that specifically affect text messaging under the TCPA.   First, the FCC addressed the status of SMS text messages in response to a petition that asked the FCC to make a distinction between text messages and voice calls.  The FCC reiterated that SMS text messages are subject to the same consumer protections under the TCPA as voice calls and rejected the argument that they are more akin to instant messages or emails.

Second, the FCC addressed the treatment of Internet-to-phone text messages under the TCPA.  These messages differ from phone-to-phone SMS messages in that they originate as e-mails and are sent to an e-mail address composed of the recipient’s wireless number and the carrier’s domain name.  The FCC explained that Internet-to-phone text messaging is the functional equivalent of phone-to-phone SMS text messaging and is therefore covered by the TCPA.  The FCC also found that the equipment used to send Internet-to-phone text messages is an automatic telephone dialing system for purposes of the TCPA.  In so doing, the FCC expressly rejected the notion that only the CAN-SPAM Act applies to these messages to the exclusion of the TCPA.

Finally, the FCC did provide some clarity as to one issue that had created significant confusion since the adoption of the current TCPA rules in 2012: whether a one-time text message sent in response to a consumer’s specific request for information constitutes a telemarketing message under the TCPA.  The specific scenario that was presented to the FCC is one confronted by many businesses: they display or publish a call-to-action, they receive a specific request from a consumer in response to that call-to-action, and they wish to send a text message to the consumer with the information requested without violating the TCPA and the FCC’s rules.

The FCC brought clarity to this question by finding that a one-time text message does not violate the TCPA or the FCC’s rules as long as it is sent immediately to a consumer in response to a specific request and contains only the information requested by the consumer without any other marketing or advertising information.  The FCC explained that such messages were not telemarketing, but “instead fulfillment of the consumer’s request to receive the text.”  Businesses may voluntarily provide the TCPA disclosures in their calls-to-action, as the FCC noted in the Declaratory Ruling, but a single text message to consumers who responded to the call-to-action or otherwise requested that specific information be sent to them would not be considered a telemarketing message and, as such, would not require the advance procurement of express written consent.

Limited Exemptions for Bank Fraud and Exigent Healthcare Calls and Texts

The TCPA empowers the agency to “exempt . . . calls to a telephone number assigned to a cellular telephone service that are not charged to the called party, subject to such conditions as the Commission may prescribe as necessary in the interest of the privacy rights [the TCPA] is intended to protect.”  47 U.S.C. § 227(b)(2)(C).  In March 2014, the FCC invoked this authority to grant an exemption from the TCPA’s prior express consent requirement for certain package-delivery related communications to cellular phones, requiring that for such communications to be exempt, they must (among other things) be free to the end user.

The Declaratory Ruling invoked that same provision and followed that same framework in granting exemptions for “messages about time-sensitive financial and healthcare issues” so long as the messages (whether voice calls or texts) are, among other things discussed below, free to the end user.  Oddly, the Declaratory Ruling referred to these two types of messages as “pro-consumer messages,” showcasing an apparent view that automated/autodialed calls are “anti-consumer” by default.

The FCC first addressed a petition from the American Bankers Association (ABA), seeking an exemption for four types of financial-related calls: messages about (1) potential fraud or identity theft, (2) data security breaches, (3) steps to take to prevent identity theft following a data breach, and (4) money transfers.  After analyzing the record before it regarding the exigency and consumer interest in receiving these types of communications, and finding that “the requirement to obtain prior express consent could make it impossible for effective communications of this sort to take place,” the FCC imposed the following very specific requirements in addition to the requirement that the messages be free to the end user: (1) the messages must be sent only to the number provided by the consumer to the financial institution; (2) the messages must state the name and contact information for the financial institution (for calls, at the outset); (3) the messages must be strictly limited in purpose to the four exempted types of messages and not contain any “telemarketing, cross-marketing, solicitation, debt collection, or advertising content;” (4) the messages must be concise (for calls generally one minute or less, “unless more time is needed to obtain customer responses or answer customer questions,” and for texts, 160 characters or less); (5) the messages must be limited to three per event over a three-day period for an affected account; (6) the messages must include “an easy means to opt out” (an interactive voice and/or key-press activated option for answered calls, a toll-free number for voicemail, and instructions to use “STOP” for texts); and (7) the opt-out requests must be honored “immediately.”

The FCC then addressed a petition from the American Association of Healthcare Administrative Management (AAHAM) seeking similar relief for healthcare messages.  Relying on its prior rulings regarding the scope of consent and the ability to provide consent via an intermediary, the FCC stated that (1) the “provision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls within the scope of the consent given, and absent instructions to the contrary”; and, (2) such consent may be obtained through a third-party when the patient is medically incapacitated, but that “ just as a third party’s ability to consent to medical treatment on behalf of another ends at the time the patient is capable of consenting on his own behalf, the prior express consent provided by the third party is no longer valid once the period of incapacity ends.”

The FCC also granted a free-to-end-user exemption for certain calls “for which there is exigency and that have a healthcare treatment purpose”: (1) appointment and exam confirmations and reminders; (2) wellness checkups; (3) hospital pre-registration instructions; (4) pre-operative instructions; (5) lab results;(6) post-discharge follow-up intended to prevent readmission; (7) prescription notifications; and (8) home healthcare instructions.  The FCC specifically excluded from the exemption messages regarding “account communications and payment notifications, or Social Security disability eligibility.”

The Declaratory Ruling imposed mostly the same additional restrictions on free-to-end-user health-care related calls as it did with free-to-end-user financial calls: (1) the messages must be sent only to the number provided by the patient; (2) the messages must state the name and contact information for the healthcare provider (for calls, at the outset); (3) the messages must be strictly limited in purpose to the eight exempted types of messages, be HIPAA-compliant, and may not include “telemarketing, solicitation, or advertising content, or . . .  billing, debt-collection, or other financial content”; (4) the messages must be concise (for calls generally one minute or less, and for texts, 160 characters or less); (5) the messages must be limited to one per day and three per week from a specific healthcare provider; (6) the messages must include “an easy means to opt out” (an interactive voice and/or key-press activated option for answered calls, a toll-free number for voicemail, and instructions to use “STOP” for texts); and (7) the opt-out requests must be honored “immediately.”

Service Provider Offering of Call Blocking Technology

A number of state Attorneys General had sought clarification on the legal or regulatory prohibitions on carriers and VoIP providers to implement call blocking technologies.   While declining to specifically analyze in detail the capabilities and functions of particular call blocking technologies, the FCC nevertheless granted the request for clarification and stated that there is no legal barrier to service providers offering consumers the ability to block calls – using an “informed opt-in process” at the individual consumer’s direction.   Blocking categories of calls or individual calls was seen as providing consumers with enhanced tools to stop unwanted robocalls.

Service provider groups, which expressed concern that any blocking technology could be either over or under-inclusive from an individual consumer’s perspective, were provided the assurance that while both the FCC and the FTC recognize that no technology is “perfect,” accurate disclosures to consumers at the time they opt-in for these services should suffice to allay these concerns.  The Declaratory Ruling also noted that consumers are free to drop these services if they wish, and encouraged providers to offer technologies that have features that allow solicited  mass calling, such as a municipal or school alerts, to not be blocked, as well as to develop protocols to ensure public safety calls or other emergency calls are not blocked.

©2015 Drinker Biddle & Reath LLP. All Rights Reserved

Beer-Maker Puts an End to Brewhaha: Anheuser Busch Agrees to Settle Second of Two Class Action Lawsuits over Beer Origin Disclaimers

Anheuser Busch recently agreed to settle a consumer class action over Beck’s Beer labeling that we previously reported on with regard to the uptick in consumer class actions proceeding past the pleading stage in the Southern District of Florida. Marty et al. v. Anheuser-Busch Cos., 13-cv-23656-JJO (S.D. Fla.). Anheuser-Busch’s decision to settle the Beck’s suit is not surprising, given that the company had agreed in January of this year to settlement of a sister suit commenced in Florida state court over the labeling of Kirin beer (Suarez et al. v. Anheuser-Busch Cos. LLC, 2013-33620-CA-01 (Fla. Cir. Ct.)), as we also previously reported.

According to the motions for approval, the settlement terms appear to be almost identical. Under the terms of both deals, consumers who bought Kirin or Beck’s during the respective class periods (back to October 2009 for Kirin and May 2011 for Beck’s) are entitled to obtain partial refunds varying from ten cents a bottle to $1 for a twelve pack, with the refund capped at $50 per household for those whose reimbursements are supported by proofs of purchase and $12 per household for those without. Neither settlement is subject to a capped total settlement fund amount.

Both settlements also include five year injunctions, with Anheuser-Busch agreeing to inclusion of the phrase “Brewed Under Kirin’s Strict Supervision by Anheuser-Busch in Los Angeles, CA and Williamsburg, VA” more prominently on Kirin products, packaging and website, and Beck’s agreeing to the inclusion of either “Brewed in USA” or “Product of USA” on Beck’s products, packaging and website. (The Kirin injunction also requires Anheuser-Busch to refrain from using the term “import” or “imported” with reference to Kirin beer.) In both settlements, Anheuser-Busch agreed not to oppose seven figure motions for class counsel fees — $1,000,000 in the Kirin suit and $3,500,000 in the Beck’s suit.

What’s notable about both settlements is that the phrases Anheuser-Busch agreed to include on its products, packaging and product websites already appeared on the products. This fact was central to Anheuser-Busch’s failed motion to dismiss the Amended Complaint in the Beck’s suit, in which they argued that a reasonable consumer could not be deceived as to the beer’s origin because that fact was printed on the product itself. The judge, however, sided with Plaintiffs on the issue, finding that (1) a reasonable consumer could be deceived because the disclaimer was difficult to read and blocked by the packaging (the judge specifically noted that the statement was printed on a metallic background, which could be obscured by light, while the packaging submitted to the Alcohol Tobacco Tax and Trade Bureau (“TTB”) was printed on a matte background); (2) product statements referencing German “Purity Laws” might be misleading to the average consumer, even if true; and (3) product statements referencing German “Quality” were not “puffery” as a matter of law.

Notably, the injunction Beck’s agreed to addresses only the first of these issues, and we have to wonder whether the judge’s decision on the motion to dismiss would have been different had the disclaimers appeared more prominently or on the matte background approved by the TTB. These two settlements certainly serve as a warning for nationwide sellers to consider the more prominent display of the products’ origin on products and packaging, if the product labeling is potentially obscured.

© 2015 Proskauer Rose LLP.