Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

© Copyright 2022 Squire Patton Boggs (US) LLP

Crosshairs: Labor Board Targets Gig Economy, Noncompete Agreements, and More

Many employers in the “gig economy” – such as rideshare companies – rely heavily on independent contractors for various functions within their organizations. Because independent contractors are exempt from coverage under the National Labor Relations Act (NLRA), which includes the right to form or join unions, this appears to have garnered the attention of the National Labor Relations Board’s (NLRB) top lawyer. And it appears the NLRB may be seeking to disrupt those companies’ current staffing models.

According to a recent press release from the agency:

“National Labor Relations Board (NLRB) General Counsel Jennifer A. Abruzzo and Federal Trade Commission (FTC) Chair Lina M. Khan executed a Memorandum of Understanding (MOU) forming a partnership between the agencies that will promote fair competition and advance workers’ rights. The agreement enables the NLRB and FTC to closely collaborate by sharing information, conducting cross-training for staff at each agency, and partnering on investigative efforts within each agency’s authority.”

The statement then goes on to describe specifically how the agencies will be targeting the gig economy:

“The MOU identifies areas of mutual interest for the two agencies, including: labor market developments relating to the ‘gig economy’ such as misclassification of workers and algorithmic decision-making; the imposition of one-sided and restrictive contract provisions, such as noncompete and nondisclosure provisions; the extent and impact of labor market concentration; and the ability of workers to act collectively.”

What does this mean for employers? For one thing, it reinforces that the NLRB is going to be taking a much closer look at workers classified as independent contractors – and likely finding independent contractor status more often. For another, it means the NLRB may soon be looking at noncompete agreements and similar restrictive covenants and finding the maintenance of overbroad terms to be violations of labor law. And while the memorandum calls out the gig economy, it is not limited solely to companies operating in that space.

Employers – in the gig economy and otherwise – should take note of these agencies’ moves and be aware that these issues are likely to receive much scrutiny in the coming months and years.

© 2022 BARNES & THORNBURG LLP

The FTC Seemingly Thumbs Its Nose at the Supreme Court

Despite the Supreme Court’s recent 6-3 ruling in West Virginia v. EPA that regulatory agencies must have “clear congressional authorization” to make rules pertaining to “major questions” that are of “great political significance” and would affect “a significant portion of the American economy,” and the import of that ruling to the area of noncompete regulation, the Federal Trade Commission (FTC) and National Labor Relations Board (NLRB) announced yesterday that they are teaming up to address certain issues affecting the labor market, including the regulation of noncompetes.

In a Memorandum of Understanding (MOU) issued on July 19, 2022, the FTC and NRLB shared their shared view that:

continued and enhanced coordination and cooperation concerning issues of common regulatory interest will help to protect workers against unfair methods of competition, unfair or deceptive acts or practices, and unfair labor practices. Issues of common regulatory interest include labor market developments relating to the “gig economy” and other alternative work arrangements; claims and disclosures about earnings and costs associated with gig and other work; the imposition of one-sided and restrictive contract provisions, such as noncompete and nondisclosure provisions; the extent and impact of labor market concentration; the impact of algorithmic decision making on workers; the ability of workers to act collectively; and the classification and treatment of workers. (Emphasis added.)

Accordingly, the purpose of the MOU is “to facilitate (a) information sharing and cross-agency consultations on an ad hoc basis for official law enforcement purposes, in a manner consistent with and permitted by the laws and regulations that govern the [FTC and NLRB], (b) cross-agency training to educate each [agency] about the laws and regulations enforced by the other [agency], and (c) coordinated outreach and education as appropriate.”

This follows the Biden Administration’s July 9, 2021 Executive Order in which it “encourage[d]” the FTC to “consider” exercising its statutory rulemaking authority under the FTC Act “to curtail the unfair use of non-compete clauses and other clauses or agreements that may unfairly limit worker mobility.” Nothing concrete has yet come of that Executive Order, although the MOU perhaps represents the next stage of the FTC’s “consider[ation]” of the issue. As we previously reported, FTC Chairwoman Lina Khan recently told the Wall Street Journal that regulating noncompetes “falls squarely in [the FTC’s] wheelhouse,” and she has never been shy about sharing her view that noncompetes should be banned nationwide and that the FTC has the authority to do so. This view does not appear to have changed despite the Supreme Court’s decision in West Virginia v. EPA.

Only time will tell what, if any, action the FTC takes with respect to regulating noncompetes, but if it does take steps to ban or otherwise limit noncompetes nationwide under Section 5 of the FTC Act, there will no doubt be litigation challenging those regulations. And you can bet that the Supreme Court’s decision in West Virginia v. EPA will be front and center in any such challenge. Indeed, according to Law360, U.S. Chamber of Commerce Executive Vice President and Chief Policy Officer Neil Bradley said that the MOU shows Chairwoman Khan’s vision for the FTC “goes well beyond what is provided in law and what was envisioned by Congress.” Chairwoman Khan does not seem too perturbed by the prospect of challenges to the FTC’s authority in this regard, however, and seems intent on moving forward despite the Supreme Court’s admonition.

©2022 Epstein Becker & Green, P.C. All rights reserved.

FTC Takes First Actions Under New Made in USA Labeling Rule, Fining Battery Companies for Violations

The Federal Trade Commission (FTC) recently cracked down on Lithionics Battery, LLC, and Lions Not Sheep Products, LLC, for violating the FTC’s Made in USA Labeling Rule. These are some of the first enforcement actions after the FTC codified its longstanding informal Made in USA guidance, which makes it easier for the FTC to seek damages and levy fines. Under the proposed settlement, Lithionics will pay a $100,000 fine for falsely labeling batteries as US-made, while Lions Not Sheep will be required to pay $211,335 for falsely labeling clothing as US-made.

The Made in USA Labeling Rule

Under the Made in USA Labeling Rule, marketers suspected of making unqualified Made in USA claims must prove that their products:

  1. are all or virtually all made in the US;
  2. that all significant processing occurred in the US; and
  3. that the final assembly occurred in the US.

Although Congress enacted legislation authorizing the FTC to seek relief for Made in USA fraud almost thirty years ago, the FTC long remained silent on enforcement due to a general consensus that this specific type of fraud should not be penalized. The 2021 Made in USA Labeling Rule alters this perspective, codifying the FTC’s enforcement policy. With the Commission now being allowed to levy fines, seek damages, penalties, and/or redress on marketers who deceptively and fraudulently represent that their products are made in the US, the FTC has stepped up its enforcement efforts.

The FTC’s Recent Allegations with Lithionics and Lions Not Sheep

Lithionics

Lithionics is a Florida-based company best known for its battery products. The company has become a regular brand throughout American households. It designs and sells products for vehicles, as well as amusement parks.

The FTC alleged that Lithionics has been in violation of the Made in USA Labeling Rule since at least 2018 by intentionally misrepresenting the origin of Lithionics products. According to the Complaint, Lithionics’ products are labeled “Proudly Designed and Built in the USA” and feature an American flag. The claims were also featured across company websites, social media platforms, videos, and printed catalogs. However, according to the FTC, “all Lithionics battery and battery module products contain imported lithium ion cells” and “other significant imported components,” which, if true, would render Lithionics’ Made in USA claims false or unsubstantiated under the Made in USA Labeling Rule.”

Under the proposed order, Lithionics and its owner must stop making these claims unless they can prove their statements are true. As noted above, the company must also pay $100,000 for the alleged activity.

Lions Not Sheep

Lions Not Sheep is a self-proclaimed lifestyle brand that sells sweatshirts, hats, and shirts online.

In its allegations against Lions Not Sheep, the FTC alleged that the company has violated the Made in USA Labeling Rule since May 2021. According to the Complaint, the company intentionally removed tags disclosing that items were made in a foreign country. Instead of leaving the original tags, the FTC alleged that the company replaced them with Made in USA tags despite the products being “wholly imported with limited finishing work performed in the United States.” To make matters worse, the FTC found a video posted on the internet featuring the company’s owner blatantly claiming he could hide the fact that his shirts were made in China.

In addition to charging the company with violating the Made in the USA Labeling Rule, the FTC charged the company with violating mandatory country-of-origin labeling rules, which require all products covered by the Textile Act to include labels disclosing the manufacturer or marketer name and country where the product was manufactured. The company will be prohibited from making these claims and forced to pay $211,335.

Primary Takeaway

With the FTC now levying significant fines under the new Made in USA rule, the potential cost of non-compliance has also significantly increased. Companies should provide notice to their marketing teams and carefully review any existing claims to ensure that Made in USA claims are adequately substantiated and that marketing materials are not conveying unintended implied claims.

© 2022 ArentFox Schiff LLP

Constitutionality of FTC’s Structure and Procedures Under SCOTUS Review

Both the Federal Trade Commission (FTC) and the Antitrust Division of the Department of Justice (DOJ) have authority to enforce Section 7 of the Clayton Act by investigating and challenging mergers where the effect of such transaction “may be substantially to lessen competition or tend to create a monopoly.”

However, the enforcement paths of these two federal agencies differ markedly. DOJ pursues all aspects of its enforcement actions in the federal court system. The FTC, on the other hand, only uses the federal district courts to seek injunctive relief, but otherwise follows its own internal administrative process that combines the investigatory, prosecutorial, adjudicative, and appellate functions within a single agency.

Whether a transaction is subjected to DOJ or FTC review is determined by a “clearance” process with no public visibility. To many, including entities in the health care industry—and, in particular, parties to hospital mergers that are now routinely “cleared” to the FTC (exemplified by two recently filed enforcement actions against hospitals in New Jersey and Utah)—this process appears to be arbitrary. It is also particularly daunting because the FTC has not lost an administrative action in over a quarter-century. Because of the one-sided nature and duration of these administrative proceedings, most enforcement actions brought against merging hospitals rise or fall at the injunctive relief stage. This process also appears to embolden the FTC into taking unprecedented actions, including the pursuit of enforcement remedies against parties to abandoned transactions.

However, this may soon change. The Supreme Court of the United States has agreed to hear a case that raises a forceful constitutional challenge to the FTC’s structure and procedures. The Supreme Court recently agreed to combine the briefing schedule of this case with a similar case that successfully challenged the constitutionality of the administrative process of the Securities and Exchange Commission. The outcome of these cases may fundamentally alter the FTC’s enforcement process.

©2022 Epstein Becker & Green, P.C. All rights reserved.

FTC Imposes Record-Setting $10M Fine Against Multistate Auto Dealer, Settling Charges of Racial Discrimination and Unauthorized Charges

On March 31, the FTC and Illinois State Attorney General announced a settlement of charges against a large, multistate auto dealer that allegedly discriminated against black consumers and included illegal junk fees for unwanted “add-ons” in customers’ bills.

Citing violations under the FTC Act, TILA, ECOA, and comparable Illinois laws, the complaint alleged that eight of the dealerships and two general managers of Illinois dealerships tacked on illegal fees for unwanted products to customers’ bills, often at the end of hours-long negotiations. These add-ons were allegedly buried in the consumers’ purchase contracts, which were sometimes upwards of 60-pages long, and sometimes added despite consumers specifically declining the products.

In addition, employees of the auto dealership also allegedly discriminated against black consumers during the process of financing vehicle purchases.  On average, black customers at the dealerships were charged $190 more in interest and paid $99 more for similar add-ons than comparable non-Latino white customers.

The multistate dealer will have to pay $10 million to settle the lawsuit per the stipulated order, the largest monetary judgment ever required in an FTC auto lending case.

Putting it into Practice:  From FTC Chair Lina Khan and Commissioner Rebecca Slaughter, the FTC appears poised to allege violations of the FTC Act’s prohibition on unfair acts or practices in light of discrimination found to be based on disparate treatment or having a disparate impact.  Their statement discusses how discriminatory practices can be evaluated under the FTC’s three-part unfairness test and concludes that such conduct fits squarely into the kind of conduct that can be addressed by the FTC’s unfairness prong.  This joint statement echoes similar announcements by CFPB Director Chopra about the use of unfairness to combat discrimination more broadly (we discussed Director Chopra’s statement and updates to the CFPB’s exam procedures in a recent Consumer Finance and FinTech blog post here).

The size of the financial judgment in this case underscores the seriousness with which the FTC takes discriminatory practices in consumer credit transactions entered into by entities over which they have authority, which includes auto dealerships.  As the FTC becomes increasingly focused on enforcement of key laws to protect consumers against discriminatory conduct, companies should use these latest agency pronouncements as a reason to be on high alert for potential discriminatory outcomes in their business activities, even if unintentional.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

FDA and FTC Issue Warning Letters to CBD Companies

  • On March 28, 2022, the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) jointly issued seven warning letters to companies marketing cannabidiol (CBD) products with COVID-19 related claims.
  • Specifically, the agencies warned the following companies regarding the promotion of their respective products with claims that they cure, mitigate, treat or prevent COVID-19: CureganicsHeaven’s Organics LLCFunctional Remedies, LLC D/B/A Synchronicity Hemp OilGreenway Herbal Products LLCCBD SocialUPSY LLC, and Nature’s Highway. Examples of claims include: “Our research suggest that CBD . . . can block SARS-Cov-2 infection at early and even later stages of infection. . .”, “Studies Show CBD Compounds Prevent COVID Cells From Replicating”, and “Can CBD Help with the Fight Against COVID? Some of the worst effects of COVID are caused by inflammation, and CBD is a potent anti-inflammatory.”
  • By way of background, under the Federal Food, Drug, and Cosmetic Act (FD&C Act), products intended to cure, treat, mitigate, or prevent disease are considered drugs and are subject to the requirements that apply to drugs. Therefore, the agencies classified the products as unapproved and misbranded drugs that may not be legally introduced or delivered for introduction into interstate commerce without prior approval from FDA.
  • The letters included a cease-and-desist demand from FTC, prohibiting the companies from making such COVID-19 related claims. The companies were provided with 48 hours to respond with specific steps that were taken to correct the violations.

© 2022 Keller and Heckman LLP

WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

© 2022 Keller and Heckman LLP

Federal Trade Commission Implements Annual Adjustments to Hart-Scott-Rodino Notification Thresholds

The Federal Trade Commission (“FTC”)’s adjusted notification thresholds for the Hart-Scott-Rodino Anti-Trust Improvement Act of 1976 (“HSR Act”) for 2022 have gone into effect beginning February 23, 2022. The “size of the transaction” thresholds have increased to $101 million (from $92 million) and $403.9 million (from $368 million), and the “size of the person” thresholds have increased to $20.2 million (from $18.4 million) and $202 million (from $184 million). The new thresholds apply to transactions that close on or after February 23, 2022, while the prior “size of the transaction” and “size of the person” thresholds will apply to transactions closing before February 23, 2022.

The HSR Act requires the parties to a merger or other M&A transaction to file a notification of the transaction with the FTC and the Department of Justice (“DOJ”) if the transaction meets the “size of the transaction” test and the parties meet the “size of the person” test. These dollar thresholds are adjusted annually based on changes to the United States gross domestic product.

Notification is required if (a) the transaction is valued at more than $403.9 million, regardless of the size of the parties; or (b) a transaction is valued at more than $101 million, but not more than $403.9 million, and, generally, one party has total assets or annual net sales of at least $20.2 million and the other party has total assets or annual net sales of at least $202 million.

If notification is required, the FTC and DOJ will have 30 days from the date on which both parties file their notices to review the competitive effects of the transaction. Prior to the expiration of this 30-day review period, the FTC or DOJ may make an additional request for documents or information from either or both parties. The parties will not be permitted to close the transaction until the 30-day review period expires, or if the FTC or the DOJ has made an additional document or information request, until 30 days after the agencies confirm that the additional request has been satisfied in full. In the past, parties filing HSR Act notifications ordinarily could request an “Early Termination” of the 30-day waiting period. However, the FTC and DOJ announced, on February 4, 2021, that they were temporarily suspending the Early Termination practice during the transition to the new Biden administration. The agencies have not yet announced when they will resume the Early Termination practice.

The FTC also announced that the maximum civil penalty amount for failure to comply with the premerger notification rules of the HSR Act has increased to $46,517 per day, from $43,792 per day.

© 2022 Giordano, Halleran & Ciesla, P.C. All Rights Reserved

Article By Craig Ismaili and John Sikora of Giordano, Halleran & Ciesla, P.C.

For more articles on trade, visit the NLR Antitrust & Trade Regulation section.

Same As It Ever Was: FDA Reiterates That CBD Cannot Be Included in Food or Dietary Supplements

While we enter a new season this week, the same cannot be said for the FDA which, on November 16, reiterated that its approach to regulating the cannabidiol (CBD) industry will be “the same as it ever was”—a regulatory minefield. Grail Sipes, acting Deputy Center Director for Regulatory Policy at the FDA’s Center for Drug Evaluation and Research, emphasized the agency’s position that it needs additional CBD research and safety data before the agency will consider CBD for uses beyond prescription drugs, including usage as a food additive or dietary supplement. This, she said, is because “clear answers to many important questions are still lacking, such as what adverse reactions may be associated with CBD from hemp-derived products and what risks are associated with the long term use of these products.”

So why should industry stakeholders care about the FDA’s opinion anyway? Wasn’t hemp-derived CBD legalized at the federal level by the Agriculture Improvement Act of 2018, also known as the Farm Bill?

Yes, but as we discussed in a previous blog post, the FDA and FTC have overlapping enforcement authority over CBD marketing, with the FDA having primary authority over labeling. The FDA has previously issued guidance stating that CBD can be used as an ingredient in cosmetics so long as it does not cause the product to be “adulterated or misbranded.” However, a product containing CBD cannot be marketed as a drug absent FDA approval—a lengthy and costly process. Companies marketing CBD products must therefore ensure compliance with the FDA’s labeling requirements and guidance regarding CBD products.

The FDA has not been shy to issue warning letters to CBD companies that fail to heed the agency’s labeling requirements and guidance. Starting in April 2019, the FDA (together with the FTC) began issuing warning letters to companies marketing CBD products as treatments and cures for a variety of diseases and illnesses. Those agencies continued to issue warning letters for marketing and labeling violations throughout 2019, largely for improper health-based claims about CBD products (those letters are described in more detail here and here). The most recent iteration came in 2021 when the agencies issued two warning letters to companies selling over-the-counter (OTC) drugs for pain relief that contained CBD. Sipes made clear the FDA will continue to monitor the CBD marketplace and issue warning letters to companies making improper health claims in her November 16 comments.

Given these comments, we can expect the cat-and-mouse game between federal regulators and CBD companies that push the marketing envelope to continue. To mitigate the risk of falling within the FDA’s crosshairs, CBD companies must ensure compliance with the various state and federal regulations governing the labeling and advertising of their products. We provided several marketing dos and don’ts in a previous blog post. But given the FDA’s unchanging position, the biggest takeaway remains the same: don’t make claims that a CBD product “can prevent, treat, or cure” or a disease.

Article By Rachel L. Sodée and J. Hunter Robinson of Bradley Arant Boult Cummings LLP

For more news on biotech, food, and drug law, click here to visit the National Law Review.

© 2021 Bradley Arant Boult Cummings LLP