Retail and Consumer Products Law Roundup - June 2016

Manatt, Phelps & Phillips, LLP

In This Issue:

  • President Signs Legislation Modernizing Federal Chemical Regulation Law
  • NAD Vacuums Up Preference Claims
  • Uber Steers Litigation With Drivers Into $100M Settlement
  • Seventh Circuit Reinstates Data Breach Suit Against P.F. Chang's
  • New York AG Reports on Data Breaches
  • Spokeo, Inc. v. Robins: What Does It Mean for TCPA Lawsuits?

President Signs Legislation Modernizing Federal Chemical Regulation Law

Overhaul of Toxic Substances Control Act (TSCA) has important business implications for consumer product manufacturers and retailers.

By James Votaw, Partner, Environment

Why it matters

After a decade of negotiation, Congress has overwhelmingly approved legislation that, for the first time in 40 years, would modernize the federal Toxic Substances Control Act (TSCA)—the nation’s premier chemical control law. The TSCA amendments have deep, bipartisan support among industry, and environmental and consumer protection groups. It was signed by the President June 22.

In the past, TSCA has been primarily a concern only for manufacturers and importers of new chemicals. The new TSCA amendments, however, have the potential to disrupt existing chemical supply chains and to taint the reputation of well-accepted consumer goods made with any of the 65,000 chemicals in commerce that have never previously been reviewed for safety by EPA. These aspects make TSCA reform a potential concern for companies throughout the value chain, including consumer product manufacturers and retailers. It may not be possible to prevent all these disruptions, but there are proactive measures to take to minimize risks from the amendments and, for some companies, opportunities to develop competitive advantage.

Detailed discussion

Safety Review of “Grandfathered” Chemicals Is the Centerpiece of Reforms

The novel risk to existing supply chains arises from a new mandate and broader practical authority, under TSCA, for the US Environmental Protection Agency (EPA) systematically to prioritize and conduct risk evaluations for all chemicals currently in commerce in the United States, and to take risk management actions (everything from ordering product warning labels to complete bans) where warranted, taking into account how the chemical is used and the extent of environmental release and human exposure in workplaces and among the general public (e.g., through consumer products). For the first time, the thousands of chemicals listed on EPA’s inventory of chemicals in commerce (the “TSCA Inventory”) will be prioritized for formal risk review using measures of hazard and exposure, and EPA will be able to order testing where needed to assess hazards or exposure.

TSCA Creates New Risks for Consumer Product Manufacturers and Retailers

Risks arise for particular companies when chemicals in their product supply chain and important to their business (e.g., as a component of an important product) come under EPA safety review, or are prioritized by EPA for an early safety review. EPA is charged with reviewing the most problematic chemicals first, so the mere act of publicly listing a chemical as a high priority for safety review may cause retailers or their retail customers to deselect products containing that “high priority” chemical, even if it is used in a way in which there is no relevant exposure to the customer. Similarly, the results of toxicological testing compelled under EPA’s new, broader authorities may hurt the reputations of products containing tested chemicals that may be unwarranted, for example, when hazard study results are released to the public without relevant context necessary to understand risk. This kind of reputational damage may force companies as a practical matter to discontinue or attempt to reformulate products made with the chemical. At the end of the safety review process, EPA has the authority to restrict or set terms for the use of particular chemicals where necessary, in EPA’s view, to control risks. This may be a good outcome for companies where EPA has appropriately identified previously unknown risks and reasonable means to avoid them. On the other hand, it may be quite harmful if EPA’s review process is flawed in some way (e.g., incorrect understanding of how the chemical is used or the extent to which people are exposed in end-use products), resulting in unwarranted restrictions on use. The amendments also present (or at least perpetuate) two other supply risks relevant to retailers and consumer product manufacturers.

TSCA Inventory Reset

In the next 18 months, EPA will require all chemical manufacturers to identify and report all chemicals they have made or imported in the past 10 years. EPA will use this information to cull its list of chemicals in commerce that must be prioritized and reviewed for safety by eliminating those no longer used. Once the inventory reset is complete, chemicals previously manufactured but not on the current list (intentionally or by error) can be used again in the future, but not until after a formal notice is submitted to EPA. The rules are not yet written, but EPA may require that notice include a wide variety of health and safety information, and it may trigger new use restrictions. The reporting process also may lead manufacturers to discover that some of their products had been on the market without undergoing the pre-manufacturing review process applicable to all new chemicals introduced since 1976—a serious violation. These kinds of issues often arise where the company and EPA unknowingly assign the same substance different chemical identities. Either of these issues has the potential to significantly disrupt supply chains for consumer product manufacturers and retailer customers.

State Chemical Control Regulation Continuing

State chemical control regulation remains an important consideration. Industry support for modernizing TSCA grew in recent years in response to a number of factors, including the breakup of the U.S. as a single market for many products due to a growing patchwork of state laws restricting particular chemicals from particular products. It was anticipated that TSCA reform would include strong state law preemption terms that would prevent states from enforcing their own chemical control laws in deference to national federal standards. The final TSCA amendments do include new preemption provisions, but they largely exempt most current state laws, and generally would allow states to develop and enforce new restrictions for a chemical until EPA reviews and takes action on that chemical, which may be many years. States may also seek waivers to allow continued enforcement of state standards. In addition, the amendments indirectly authorize states to enforce TSCA standards when states enact and enforce state laws that are identical to TSCA. Notwithstanding new TSCA preemption provisions, for these and other reasons, complying with varied state-level chemical product regulation is likely to remain an important consideration for consumer product manufacturers and retailers.

TSCA Amendments Present Benefits and Competitive Opportunities as Well

Although the TSCA amendments create some new risks, they also present opportunities to protect or enhance products and brands. For example, the amendments provide a mechanism for manufacturers to obtain EPA review of a chemical sooner than its risk priority would otherwise indicate. This can be a useful tool to obtain an independent, science-based endorsement by EPA concerning the safety of a chemical for particular uses. Such an endorsement may be invaluable to protect the reputation of a substance or product targeted by environmental or consumer protection groups that influence consumers directly, or may influence large private companies or state legislatures to deselect or regulate the substance in a way that is not warranted by the science, or similarly may confirm that even known dangerous chemicals can be safely used for particular applications. EPA on its own is required to identify chemicals that represent a low priority for review—signaling some confidence by EPA experts that they are relatively “safe’ as used. (EPA has had a program for several years under which, at a manufacturer’s request, it will evaluate retail products for relative safety based on chemical content and related considerations as compared to other products in the same category). Companies may find competitive advantage in using EPA categorizations and, for example, formulating or reformulating retail products to exclude “high priority” chemicals or include only “low-priority” chemicals.

Companies may also benefit from risk reviews that identify previously unknown health risks from particular chemicals in their supply chains, which in turn help make decisions about formulation or handling that reduce long-term enterprise risk, and enhance product sustainability.

Key Takeaway—Know Which Chemicals Are in Your Products and Which Are Important to the Business

The first and most important step for consumer product manufacturers and retailers to manage the risks and potentially take advantage of the opportunities presented by of TSCA reform is to know the supply chain and the chemicals that are important to the business. Coupled with awareness of EPA chemical work plans and initiatives, this gives companies the information they need to know when risks or opportunities are being created and how they should get involved.

In some circumstances, this may mean commencing internal product reformulation work or contingency planning with suppliers. However, retailers and consumer product manufacturers can play an important role in the safety review of individual chemicals, by providing robust information about how the chemical is used in the product and the extent of exposure to consumers and the environment. Manufacturers can use this information to demonstrate that a useful chemical with some hazardous properties nevertheless is handled safely or with such little actual exposure that no regulation is required. Similarly, retailers and consumer product manufacturers also may want to take affirmative steps to assure that chemicals important to their business are reported to EPA as part of the Inventory Reset process and not inadvertently omitted. At a more fundamental level, one of EPA’s first tasks is to decide how it will prioritize chemicals for review. Depending on the circumstances, getting involved in public proceedings (either alone or as part of consortia of companies with common interests) even at this stage may help companies influence that decision process to the advantage of their products or disadvantage of competitors’. Similarly, companies with common interests in the continued availability and use of a particular chemical under attack from states, NGOs or other interests may want to solicit EPA safety evaluation of the chemical ahead of its normal risk prioritization to quell unwarranted criticisms and restrictions.

It will take years for EPA to complete its safety reviews. In the near term, EPA likely can be expected to focus first on the 90 chemicals contained in its 2014 TSCA Work Plan for Chemical Assessments. These chemicals were ranked and selected for review based on a number of considerations, including perceived health or environmental hazard, persistence in the food chain or environment, manufacturing volume, and the extent of potential consumer exposure.

NAD Vacuums Up Preference Claims

Why it matters

In a challenge brought by a competing vacuum manufacturer, the National Advertising Division recommended that SharkNinja discontinue a claim that "Americans now choose Shark 2-to-1 over Dyson."

The self-regulatory body cautioned advertisers that "total sales are not always synonymous with consumer preference," as there are "a number" of variables that influence consumer preference for one product over another, from the cost of the product to the realities of the marketplace. An advertiser's best bet for substantiating a preference claim: "Survey evidence which directly gauges consumer preference among competing products is the most relevant support for a claim that one product is preferred over another," the NAD wrote.

Detailed discussion

Shark told the self-regulatory body that the term "choose" conveyed to consumers that the claim was based on sales volume, especially as it was accompanied by a conspicuous disclosure of "Unit Sales of Upright Vacuums" located directly underneath the claim in bold, clear, easy-to-read font. Consumers' preference for one product over another can be based on a number of different factors, including total sales, the advertiser said.

The challenger, Dyson, countered that the preference claim lacked support. The reasonable implication of the claim is that Shark conducted some form of consumer preference study to support its comparison, Dyson argued, and the mere fact that one brand happens to outsell another does not, by itself, illustrate that consumers prefer the other brand. Sales data are particularly suspect as substantiation for preference claims, when there is a large difference in price between the products, as in the case between Shark and Dyson, the challenger said.

The self-regulatory body agreed. "NAD reviewed the challenged commercials in their entirety and determined that one of the messages reasonably conveyed is that consumers prefer Shark vacuums over Dyson vacuums—a preference message which goes beyond sales superiority," according to the decision.

Although Shark used the word "choose," when combined with the word "over" the ads indicated "that there is a preference between two options," the NAD explained. Further, "within the context of the commercials which contain numerous performance claims, it is a reasonable consumer takeaway that the choice to purchase a Shark is based on consumers' preference for a vacuum that provides such benefits."

For example, in one Shark infomercial, the announcer touted the benefits of the vacuum by stating that it "has more suction than the newest $700 Dyson Cinetic," "makes my home cleaner and my job easier," concluding with "The Powered Lift-Away is the total transformation of the upright vacuum. It's no wonder that Americans now choose Shark 2-to-1 over Dyson."

"Use of the phrase 'it's no wonder' clearly connects the purchasing decision to the aforementioned attributes, thus conveying that consumers have a preference for Shark vacuums over Dyson vacuums because of such qualities," the NAD wrote.

Was Shark's sales data sufficient to provide a reasonable basis for the claim? No, the NAD determined.

"By its nature, a consumer preference claim connotes that a particular group of consumers (representative of a defined population) have made an identifiable product choice between two or more products based upon a particular product attribute (or attributes)," the NAD wrote. "While overall sales may be one indicia of consumer preference, sales alone are not wholly dispositive of individual preference."

Other variables are at play in consumer preference, such as the cost of the product and the accessibility of obtaining the product, the self-regulatory body noted, as well as the realities of the marketplace, which may sometimes "have a serious effect on the opportunity to choose and, thus, sales may not be a truly accurate barometer of consumer preference."

Given the price difference between Shark and Dyson products, "consumers who buy Shark products are not necessarily choosing them over Dyson," the NAD said. Further, Shark's claim "obscures the fact that the comparison is based purely on sales," the decision added. "The disclosure … is not likely to be understood by consumers to mean that Shark brand outsells Dyson and even if it did, that message is contradictory to the main message that consumers 'chose' Shark 'over' Dyson in a head-to-head selection."

The NAD recommended that Shark discontinue the claim that "Americans now choose Shark 2-to-1 over Dyson," but noted that "nothing in this decision precludes Shark from making a comparative claim based on unit sales (e.g., 'Shark outsells Dyson 2-to-1'), provided that such a claim is accurate and does not imply a head-to-head preference."

To read the NAD's press release about the case, click here.

Uber Steers Litigation With Drivers Into $100M Settlement

Why it matters

Uber announced a settlement agreement in the high-profile litigation challenging the classification of drivers as independent contractors in late April with the possibility of a $100 million payout. Drivers in California and Massachusetts sued the company over its employment practices, claiming the ride-sharing app improperly characterized them as independent contractors when they were actually employees, entitled to additional payments and benefits.

Pursuant to the settlement terms, Uber will continue to classify drivers as independent contractors and not employees. However, the estimated 385,000 drivers will receive a payout and beneficial changes to Uber policy. The company will help with the creation of "drivers associations" in both states and clarify its policy on how and why drivers are "deactivated" from driving for the service. Uber also promised to pay $84 million to the drivers, with an additional $16 million added to the settlement fund if the company holds an IPO and the average valuation of the company increases to one and a half times that of its last financing round ($62.5 billion as of December 2015). The deal still requires approval from the federal court judge overseeing the litigation, but if it gets the go-ahead, it could set the tone for similar deals in other states. It also establishes that Uber will not be budging on its stance that drivers are not employees.

Detailed discussion

While ride-sharing apps like Lyft and Uber Technologies have seen enormous growth over the last few years, the companies have also faced significant employment issues. Drivers in several states have sued the companies alleging they were misclassified as independent contractors instead of employees, seeking additional wages or reimbursement.

Facing a putative class action in California federal court, Lyft recently reached a deal with drivers. The company agreed to make changes to its terms of service to provide drivers with greater protections and pay $12.25 million to the class but refused to alter the classification of drivers to employees going forward.

Uber reached a similar agreement, albeit on a larger scale. The company was facing consolidated class actions filed in California and Massachusetts where the drivers had successfully moved for class certification. But after three years of litigation and with trial scheduled to begin on June 20, the parties put on the brakes.

The deal includes both policy changes and a monetary payout by Uber. The approximately 385,000 drivers in the two states will receive portions of an $84 million settlement fund that could be bumped up to $100 million if the company holds an IPO and the average valuation of the company increases to one and a half times that of its last financing round, $62.5 million as of December 2015. Awards will be based on the number of miles driven, with those logging 25,000 or more miles receiving in the range of an estimated $8,000.

Policywise, Uber agreed to provide more details about how and why drivers are "deactivated" from the service and clarify policies on tips, as well as helping with the creation of a drivers' association in both states. Specifically, the company said riders will be informed that tips are not included in the fare and drivers will be permitted to put signs in their cars stating that "tips are not included, they are not required, but they would be appreciated." Uber also provided a list of the reasons why a driver may be deactivated, ranging from using drugs and alcohol to carrying a firearm to unsafe driving.

Perhaps most significantly, Uber will not change its business model pursuant to the deal, and drivers will continue to be classified as independent contractors. The company still faces litigation in other states (including Arizona, Florida, and Pennsylvania) on the issue, and the legal question of the appropriate characterization of drivers for ride-sharing apps remains unanswered.

To read the motion for preliminary approval of the settlement agreement in O'Connor v. Uber Technologies, click here.

Seventh Circuit Reinstates Data Breach Suit Against P.F. Chang's

Why it matters

The Seventh Circuit Court of Appeals reversed the dismissal of a data breach suit against P.F. Chang's, holding that the risk of future fraudulent charges and identity theft created by a data breach constituted a "certainly impending" future injury to establish standing for the plaintiffs.

The Seventh Circuit has now firmly established itself as a plaintiff-friendly jurisdiction for data breach litigation, with the Lewert decision building upon the generous standing position adopted in a prior data breach case in Remijas v. Neiman Marcus Group. The Remijas ruling provided a road map for data breach plaintiffs to win the battle over standing. As noted by the panel, the Lewert plaintiffs alleged "the same kind" of injuries as the successful plaintiffs in the Remijas case. In addition, companies should note that the court relied upon statements released by P.F. Chang's after the breach to support the plaintiffs' contentions, including advice to review credit reports and comments on the scope of the breach.

Detailed discussion

Like many other companies, the national restaurant chain recently suffered a data breach. In June 2014, P.F. Chang's announced that its computer system had been breached and consumer credit and debit card data had been stolen. As a precaution, the company switched to a manual card processing system at all locations in the United States. A few weeks later the company announced that it had determined data was stolen from just 33 restaurants and only one in Illinois.

Two Illinois residents filed separate suits against P.F. Chang's. Lucas Kosner alleged that a few weeks after he paid with his debit card at the restaurant, four fraudulent transactions were made. He cancelled the card immediately and, believing the charges occurred because of the data breach, purchased a credit monitoring service for $106.89. John Lewert dined at the same restaurant, also paying with his debit card. Although no fraudulent transactions were made with his card, his complaint stated that he spent time and effort monitoring his card statements and his credit report after he learned of the breach. Neither plaintiff dined at the Illinois restaurant identified by the chain as being impacted by the breach.

P.F. Chang's moved to dismiss the consolidated cases, arguing that the plaintiffs lacked standing to bring suit. A federal district court agreed, but a three-judge panel of the Seventh Circuit reversed.

As a starting point, the court referenced the prior decision on standing in Remijas, where the Seventh Circuit concluded that the plaintiffs' increased risk of fraudulent credit and debit card charges and identity theft was concrete and particularized enough to support Article III standing. Standing was further supported by the time and money class members spent protecting against future identity theft or fraudulent charges, the Remijas court said.

"In the present case, several of Lewert and Kosner's alleged injuries fit within the categories we delineated in Remijas," the court wrote. "They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen. These alleged injuries are concrete enough to support a lawsuit."

The plaintiffs also pled sufficient facts to establish standing on their present injuries, the panel added, with Kosner asserting that he already experienced fraudulent charges and Lewert claiming that he spent time and effort monitoring his card statements and other financial information.

The restaurant chain attempted to distinguish Remijas by arguing that the plaintiffs' data was not actually exposed in the breach, noting that Lewert and Kosner dined at a restaurant not identified as one of those impacted by the data theft. "To the extent this is a valid distinction (and that is questionable), it is one that is immaterial," the court said. The plaintiffs plausibly alleged that their data was stolen and that P.F. Chang's public statements addressed customers who had dined at all of its stores in the United States.

"This creates a factual dispute about the scope of the breach, but it does not destroy standing," the Seventh Circuit explained. "P.F. Chang's will have the opportunity to present evidence to explain how the breach occurred and which stores it affected. Perhaps it can trace which specific data files were stolen. Perhaps each individual location's data is behind a separate firewall. Or perhaps it is being too optimistic and the breach was greater than it suggests."

"When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if the breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected," the court added.

Addressing the plaintiffs' other asserted injuries, the panel said the cost of their meals was not an injury, despite their claim they would not have dined at the restaurant had they known of its poor data security. Nor did the panel accept their contention that they had a property right in their personally identifiable data.

Lewert and Kosner did manage to satisfy the requirements for causation and redressability, however. The court again rejected the defendant's argument that they dined at a restaurant not hit by the hackers, as that would assume the answer to a disputed fact. "All class members should have the chance to show that they spent time and resources tracking down the possible fraud, changing automatic charges, and replacing cards as a prophylactic measure," the court said.

To read the decision in Lewert v. P.F. Chang's China Bistro, Inc., click here.

New York AG Reports on Data Breaches

Why it matters

In a new report, the New York Attorney General's Office revealed that it received 459 data breach notices between January 1, 2016, and May 2, 2016, an increase of 40 percent over the same time period in the prior year, when the office received a total of 327 notices.

"Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," Attorney General Eric T. Schneiderman said in a press release. "I am committed to stemming the data breach tide. Making notification to my office easier for companies who have experienced a data breach means quicker notification and quicker resolution for New York's consumers."

Detailed discussion

New York's Information Security Breach and Notification Act requires companies to provide notice to the AG's Office and consumers in the event of a data breach. Last year, the Office received 809 data breach notices. Given the upward trend already visible in the first half of 2016, the Office expects to receive "well over 1,000 notices" this year, Attorney General Schneiderman said—a new record high.

To improve efficiency with the increased volume, the AG's Office provided companies with the ability to file notice electronically via a submission form on the Office's website. Previously, companies were required to mail, fax, or e-mail their notices.

In addition to details about the entity breached, the form requires companies to select a description of the breach (an external systems breach, for example, or insider wrongdoing), as well as the information acquired in combination with a name or other personal identifier (such as a Social Security number or financial information). Entities must report the total number of consumers affected, and how many New Yorkers were impacted, along with the dates of the breach and when it was discovered. A copy of the notice to affected consumers must be provided to the AG's Office, along with information about whether the company has suffered any other breach notifications within the prior 12 months.

Attorney General Schneiderman has kept a close eye on data breaches in the state during his tenure, releasing a report in 2014 titled "Information Exposed: Historical Examination of Data Security in New York State." Analyzing eight years of security breach data for the state, the report found that the number of reported data security breaches in New York more than tripled between 2006 and 2014. The roughly 5,000 data breaches impacted 22.8 million personal records of New Yorkers, according to the report, with hacking intrusions by third parties the number-one cause of breaches.

To read the AG's press release, click here.

To view the New York State security breach reporting web submission form, click here.

Spokeo, Inc. v. Robins: What Does It Mean for TCPA Lawsuits?

By Christine M. Reilly | Marc Roth | Diana L. Eisner

Why it matters

As reported in our recent TCPA Connect, on May 16 the United States Supreme Court issued its highly anticipated ruling in Spokeo, Inc. v. Robins. The High Court ruled that a plaintiff must show a "concrete" injury-in-fact to pursue a claim arising under the Fair Credit Reporting Act (FCRA). However, the Court's reasoning was not confined to FCRA and its decision will likely have far-reaching implications in a variety of class action lawsuits brought under other federal consumer protection statutes, including the Telephone Consumer Protection Act (TCPA).

Detailed discussion

As the Court recognized, "Congress' role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation." Alleging a "bare procedural violation" of a statute is insufficient to confer standing where there is no real harm.

At the pleading stage, then, the plaintiff must "clearly allege facts" demonstrating a concrete injury. "Concrete" means that the injury must be "real" and not abstract; in other words, an injury must "actually exist." However, the Supreme Court left open the possibility that the "violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact." In such a case, a plaintiff need not allege any additional harm beyond the one identified by Congress.

It remains to be seen how Spokeo will be applied in TCPA cases, but Spokeo certainly adds to a defendant's arsenal of arguments designed to dispose of a case at an early stage and may help curb the explosion of TCPA lawsuits over the last several years. TCPA plaintiffs and their attorneys often take a "kitchen sink" approach to litigation and pursue TCPA lawsuits in mass volume. Complaints are typically boilerplate, containing minimal, if any, connection between the defendant's alleged violation and any actual injury. Thus, many plaintiffs pursuing claims under the TCPA do not allege a "real" injury, other than a violation of a statutory right.

In the "robocall" context, for example, many plaintiffs simply allege receipt of an unwanted call or text message. Other plaintiffs acknowledge they consented to receive text messages, but the messages do not contain the precise disclosure language required by the FCC's regulations. Now, after Spokeo, it is possible that such allegations cannot ipso facto establish standing to sue. Plaintiffs may need to allege a concrete or real harm. This may be difficult, given that so many Americans are on "unlimited" or flat-rate cell phone plans where no charges are incurred for incoming calls or text messages and no other "injury" exists other than an alleged privacy invasion. In cases where the plaintiff did not answer the phone or know about the call absent the use of Caller ID, the plaintiff may be unable to allege a concrete harm stemming from the unanswered call, potentially shuttering the lawsuit.

In the fax context, TCPA plaintiffs often allege that the opt-out notice on junk faxes does not comply with the TCPA's technical requirements, including the specific disclosure that failure to remove the recipient from the distribution list within 30 days of receipt of the opt-out request violates the law. Complaints are usually devoid of any alleged harm stemming from this type of technical violation, particularly where the fax otherwise contains opt-out instructions. Before Spokeo, this allegation may have been sufficient to establish Article III standing, despite the absence of any alleged concrete harm to the recipient. Now, this type of allegation may very well be insufficient to confer Article III standing, given the lack of any alleged harm from what appears to be a "bare procedural violation."

Importantly, standing under Article III of the U.S. Constitution is a threshold requirement to bringing suit in federal court—a plaintiff without Article III standing cannot maintain suit. Moreover, this jurisdictional issue can be raised at any time, including on appeal. So, even for defendants currently engaged in TCPA litigation, Spokeo may provide another avenue for limiting or disposing of TCPA cases.

Beyond the threshold standing issue, Spokeo has the potential to constrain a plaintiff's ability to certify a class under Rule 23 of the Federal Rules of Civil Procedure. Under Rule 23, the primary inquiry is whether questions of law or fact are common to all class members. If commonality is lacking, no class can be certified. In TCPA cases, plaintiffs have obtained class certification based on the mere receipt of an alleged call, text message, or fax giving rise to a cause of action. However, based on Spokeo, arguably each class member must demonstrate a concrete harm, which may create an individualized inquiry that is inapt for class resolution.

In practice, Spokeo may force plaintiff lawyers to select putative class representatives more carefully, and to ensure that the named representative has suffered a "concrete" injury from a purported violation. Spokeo could also curb federal lawsuits based solely on a technical violation of the TCPA, such as an insufficient or imperfect disclosure. And, given the potential impact on class certification under Rule 23, narrowed class definitions could become the trend. TCPA classes are typically broadly defined and include all persons who received the alleged call or text during the four-year statute of limitations. Class composition could shift from a class that includes everyone on the defendant's call log to a class composed only of those who have suffered specified injuries.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.