Finally, CCPA Regs Become Final – but Wait, There's More…or Less…
On Aug. 14, California Attorney General Xavier Becerra announced approval by the Office of Administrative Law (OAL) of final regulations (Regs) under the California Consumer Privacy Act (CCPA). Proposed final regulations were submitted to the OAL by the Office the Attorney General (OAG) on June 1, 2020. During OAL’s review process, additional revisions were made to the proposed regulations. The approved regulations are now in effect along with the CCPA, which went into effect on Jan. 1. While the final regulations are largely the same as those published in June, there are some material changes of which businesses should be aware.
Topping the list is the removal of the “Do Not Sell My Info” link option. In addition, four proposed sections were withdrawn that provided guidance on (1) how businesses may use previously collected information for a materially different purpose by obtaining express consent from consumers, (2) how businesses substantially interacting with consumers offline should provide notice of the right to opt out via an offline method, (3) minimum standards for submitting requests to opt out to businesses and (4) the ability to deny certain requests from authorized agents if they fail to submit certain documentation.
For more information on the changes and the procedural steps the OAG may take to further revise the regulations, click here. Visit our Consumer Privacy Resource Center or follow our Data Counsel blog for a series of blog posts dissecting the final regulations and examining the potential impact of proposed amendments to the CCPA that will be on the Nov. 3 ballot in the form of a voter initiative.
Twitter to SEC: FTC Steamed Over Violated Consent Decree
Company estimates potential quarter-billion-dollar loss
Past as Prologue?
You know those Federal Trade Commission (FTC or Commission) settlement agreements flashing in client alerts?
What happens when a company breaks those agreements? That is where the FTC has real authority to seek monetary penalties, even if it lacked that authority in the matter that led up to the consent order. And the Commission typically has that hammer hanging over the head of the party subject to the settlement for 20 years, with reporting obligations and auditing rights.
Back in 2011, Twitter hammered out a consent decree with the Commission in response to a complaint alleging that Twitter violated the FTC Act by falsely representing to consumers that it uses reasonable safeguards to protect user information from unauthorized access and to honor the privacy choices exercised by users. You may remember the incident leading up to the settlement, where hackers accessed the account of Fox News and also sent an unauthorized tweet from an account purportedly belonging to then-president-elect Barack Obama, which offered his more than 150,000 followers a chance to win $500 in free gasoline in exchange for filling out a survey. Embarrassing!
Among the sins: failure to prohibit the use of dictionary words for administrative passwords; failure to create policies that keep password lists in plain text in user emails; and failure to enforce periodic password changes.
The company agreed to be barred for 20 years from misleading consumers about “the extent to which it protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users.”
Hence our interest in the following note, embedded in Twitter’s most recent 10-Q filing: “On July 28, 2020, the Company received a draft complaint from the Federal Trade Commission (FTC) alleging violations of the Company’s 2011 consent order with the FTC and the FTC Act.”
According to the note, the complaint alleged that Twitter used phone numbers and email addresses provided for “safety and security” purposes—perhaps information used for two-factor identification? —to create targeted ads to customers. We don’t know anything else about the allegations—the complaint is not available on the FTC website, as far as we can tell.
The takeaway? You must maintain an inviolable firewall between private information collected for non-marketing purposes and that collected for marketing purposes. Period. And if you are subject to a consent order, mistakes like this send you from the frying pan into the fire. Twitter predicts the complaint may cost it $250 million by the time the dispute is done. Now that is real money!
FTC Honchos Outline Successes, Challenges Before Senate
Data security and privacy dominate comments of chair and commissioners
On Aug. 5, the FTC chair and commissioners gave testimony before the Senate Committee on Commerce, Science, and Transportation regarding the current state of the Commission, the challenges it faces and some of its recent successes. All commissioners provided their testimony remotely, and you can watch a recording of the proceeding on a video link halfway down the page.
Before we get to the substance: Scrying the backgrounds of videoconference participants has become a bit of a national parlor game. What did we learn about the commissioners from this peek inside their homes?
Were we reassured by the somber, clean lines of Commission Chairman Simons’ office? Did we find comfort in the homey, sturdy warmth of Commissioner Wilson’s stone fireplace?
And you’d need to have a heart of stone to not be charmed by Commissioner Rebecca Slaughter’s 2-month-old baby, who was holding on to her mother while Slaughter gave her testimony.
Here’s an exchange from Slaughter’s portion of the hearing:
Committee Chairman Senator Roger Wicker: “Who’s your guest?”
Commissioner Slaughter: “This is Hattie. She is my new baby; she is two months old…”
Senator Wicker: “She seems very relaxed by your position on the issues.”
The Commission’s prepared testimony covered a range of issues, including the renewal of the SAFEWEB Act, which arms the Commission with enforcement authority over cross-border telemarketing, robocalls and privacy violations; its pursuit of COVID scammers on its own and in cooperation with the Food and Drug Administration; and “VoIP service providers and others that may have been assisting and facilitating the transmission of robocalls using coronavirus-related messages,” as well as multilevel marketing companies making allegedly unsubstantiated health and earnings claims.
Data security and privacy, however, took up most of the written testimony and the commissioners’ individual remarks.
Chairman Simons reiterated a commitment to data security and privacy, asking the committee to champion legislation that will give the Commission expanded enforcement power. Commissioner Phillips echoed Simons’ concerns and spoke persuasively about the gaps that exist in current enforcement. Commissioner Slaughter called attention to children’s privacy concerns as distance learning continues for many of the nation’s children. Commissioner Wilson outlined necessary elements of data security and privacy legislation that build on learnings from the rollout of GDPR in the EU. (Commissioner Chopra, an outlier, focused on COVID’s effect on small businesses.)
The hearing itself was about two hours and 45 minutes long, so it’s impossible to go into detail about everything that was discussed. Watch the video or use the links on the same page to read the testimony.
Consumer Tries to Wipe Out Germ-Killing Claims
Class action disses product’s main ingredient and instructions for use
Has personal hygiene ever been more important than it’s been during the past few months? Suddenly, something as entirely mundane as washing your hands—including the products one uses; the ingredients in those products; and public policy regarding their manufacture, availability and distribution—are inspiring what seems like Ph.D. levels of expertise among the hoi polloi (not to mention a conspiracy theory or two).
So perhaps it’s to Lauren Souter’s credit that her recent class action complaint against Edgewell was so exhaustively footnoted and sourced.
Souter sued Edgewell, manufacturer of Wet Ones hand wipes, in July in the Southern District of California. The suit takes aim at claims and instructions on the Wet Ones packaging, including the assertion that the products “Kill 99.99% of Germs.”
As a second count, Souter alleges that Edgewell falsely represents that the hand wipes are “hypoallergenic” and “gentle on skin” when in fact, “numerous ingredients in the Products are known allergens or skin irritants.”
Souter claims that the active ingredient in Wet Ones, benzalkonium chloride (BAC), doesn’t kill certain microorganisms that cause disease. Moreover, the percentage concentration of BAC and the delivery method of the wipes aren’t effective. Even the directions on how to use the wipes — “apply to hands” and “allow skin to dry without wiping”— is allegedly guaranteed to be ineffective. “BAC...is slow to act,” the complaint maintains, “meaning that it generally must remain on hands for more time than soap and water or an alcohol-based hand sanitizer to ‘kill germs.’”
The complaint goes on from there…and on…and on. There’s exhaustive detail about the membrane structure of certain germ cells, and additional “numerous false and misleading representations about the hypoallergenic and gentle formulation of the Products”—the active ingredient, BAC, is a recognized skin irritant, according to Souter.
Souter alleges breach of express warranty, quasi-contract, and, under California law, unfair and unlawful business acts and practices, deceptive advertising practices, and violations of the state’s Consumer Legal Remedies Act.
In our present day, such a situation should give pause to any company making germ-killing claims. At issue is the gap between the advertising claim that Wet Ones kill “99.99%” of germs and the fact that Wet Ones allegedly fail to kill many types of germs, including those responsible for tuberculosis and C. diff infections. Souter even cites one study finding that Wet Ones’ active ingredient, BAC, is less effective against coronaviruses such as SARS and MERS than many other disinfectants. Would consumers looking for COVID protection be better off using other household cleaners? The jury is out on that one.
Of course, killing “99.99%” of germs may mean many things—it could well indicate that out of a population of 10,000 germs, Wet Ones will kill 9,999 of them. Will copywriters really have to start counting germs or germ species? One thing is for sure: In the midst of a pandemic, regulators, consumers and competitors are more likely to scrutinize health-related claims—which, as we’ve said many times, require a heightened level of substantiation and care.
Genealogy Giant Tagged for Iffy Auto-Renewal Policies
Ancestry.com tagged extra charges on to “free trial,” say consumers
Two Great Tastes
Two of America’s obsessions collided in California’s Southern District in July: genealogy and litigation.
Genealogy is a national pastime. The vast majority of American families have roots in another country, leading to an obsession with identity that people in our “countries of origin” find somewhere between touching and maddening.
From that obsession grew online genealogical services—one of the few markets that derives added value from social networking. So many of us, so desperate to understand who we are, are now able to communicate with each other faster than ever before; of course, online genealogy blew up.
Ancestry.com is the granddaddy of online genealogy; check out its Wikipedia entry—it’s interesting stuff. The company is currently on the selling block, with a projected price tag of $4.7 billion.
This brings us to our country’s other favorite pastime: suing the pants off one another.
(But we should note that American litigiousness is a disputed stereotype—some wags claim we’re not especially suit-prone; others claim that we’re in the top five most litigious countries in the world. Can’t we be No. 1?!)
Recently, Ancestry was sued in California’s Southern District by consumer Marta Carrera Chapple, who requested a free trial through Ancestry’s website in February 2020. She expected to be charged $39.99 for that month following her 14-day trial; instead, she was charged in March and April for the same amount. She claims she wasn’t informed about this automatic renewal prior to enrolling. Chapple points to “hundreds of customer complaints about Ancestry.com posted on various consumer websites” telling tales of similar deceptive practices.
Chapple seeks redress for false advertising violations of California’s Automatic Renewal Law and Consumers Legal Remedies Act, as well as unfair competition.
We’re not sure where the case is going—as of this writing, Ancestry is attempting to compel arbitration—but we’ll stay focused on developments.
Until then, make sure your renewal disclosures are upfront and crystal clear.
Oreo False Advertising Class Action Lacks Filling
Beloved snack made with real cocoa, even if it’s processed with something else
It seemed like a juggernaut of a class action. At its center was the Oreo cookie—a beloved, iconic snack food—and Mondelez, the company that makes them, a global monster of a snack-food company with a 100-year pedigree in the business. Consumers drawn from 12 states filed claims against the company, spanning 40 state jurisdictions and the District of Columbia.
But the whole thing…fell kind of flat.
We were going to say “crumbled” but thought better of it.
The class action, filed in the Eastern District of New York back in April, boiled down to a simple issue: whether or not Mondelez was falsely advertising its Oreo cookies when it printed “Always Made With Real Cocoa” on the packaging. The cocoa in Oreos, you see, is processed with alkali—a fact that, as the plaintiffs noted, was disclosed on the packaging ingredients list.
And that made all the difference.
The court granted Mondelez’s motion to dismiss at the end of July, deflating the case with a minimalist, eight-page order. “[T]he parties agree that the critical issue for resolving this motion is whether a reasonable consumer would be misled by Defendant’s statement that its Oreos are ‘Always Made With Real Cocoa,’” the court wrote. But “Plaintiffs do not dispute that the challenged products are in fact made with cocoa, which is fatal to their case.”
The words “made with” in the tag didn’t lead anyone astray, in the court’s analysis. Earlier cases had established that “a representation that a food is ‘made with’ a ‘real’ ingredient does not necessarily mislead from the truth that the advertised ingredient may have been combined with another.”
And with that, the case—all 40 states’ worth of it—got dunked.
There’s no cautionary tale for you here, folks—just an example of how proper copywriting, and disclosures, can spare your company significant expense, even if it can’t guarantee that you won’t be sued.