At the start of the inquiry, ACT’s website stated that test centers may “occasionally” cancel tests due to unforeseen circumstances. NAD seemed to be concerned that the statement minimized the possibility of cancellation, when cancellations were more widespread. During the inquiry, ACT updated its site to make the potential for cancellations more clear, and it provided instructions to test takers about how they would be notified of cancellations.

NAD was also concerned that some of the test centers listed on the ACT site were not able to administer tests due to COVID-19. Although ACT took steps to remove centers that weren’t available, NAD recommended that ACT do more “to avoid conveying a misleading message about the availability of test centers.” For example, NAD suggested “clearly and conspicuously disclosing information about test center availability and [ACT’s] process for reconfirming availability.”

NAD only has jurisdiction over “national advertising.” Are statements that test centers may “occasionally” cancel a test or that a center is open ads? According to NAD, they could be. The term “national advertising” generally encompasses commercial messages that have “the purpose of inducing a sale or other commercial transaction.” NAD noted that the messages at issue were advertising because “the information is posted to induce the consumer to register for the test, which is a “sale or other commercial transaction.”

NAD’s interpretation of “national advertising” is arguably broader than what many advertisers would expect, but it’s something to keep in mind, especially as you communicate with customers about how you are dealing with disruptions due to COVID-19. Try to make sure that you clearly describe how your locations and services may be affected, and give some thought to how you can minimize unpleasant surprises.

This case is also interesting because it may provide some clues as to how NAD finds cases. The decision mentions that “complaints about large-scale ACT test center closures during the pandemic were widely reported,” and cites articles in the Washington Post and Forbes. NAD also notes that “a search of ACT’s Facebook pages revealed numerous frustrated parents who noted that centers that were listed as available for registration were closed.”

As we’ve noted before, it make sense to monitor complaints and act on them quickly before they turn into more formal problems.

While EPA has long prioritized enforcement of the rules governing antimicrobial products (disinfectants and the like), the current pandemic has elevated that focus substantially, particularly against products that claim or suggest effectiveness in fighting coronavirus and other microbes. Some of the more high-profile actions over the last year have targeted on-line sales of products (often imports) that are not registered with EPA to make antimicrobial claims, as required by the Federal Insecticide Fungicide and Rodenticide Act (FIFRA).

In a January 2021 update to a COVID-related compliance advisory first issued in May 2020, EPA reiterated its aggressive enforcement stance, with an emphasis on internet product sales:

“EPA is receiving a steady stream of tips/complaints concerning potentially false or misleading claims, including efficacy claims, associated with pesticides and devices. These tips and complaints are being actively reviewed and efforts are being made to identify violative products. EPA intends to pursue enforcement against products making false and misleading claims regarding their efficacy against the coronavirus. EPA is particularly concerned with pesticide and pesticide device products sold online on e-commerce platforms that are fraudulent, counterfeit, and/or otherwise ineffective. EPA is also coordinating with the U.S. Department of Justice, U.S. Customs and Border Protection, and other federal partners to bring the full force of the law against those selling or otherwise distributing violative products.”

The updated EPA advisory also highlights agency concerns with products improperly claiming long-lasting anti-viral effects (so-called “residual claims” that a product “provides an ongoing antimicrobial effect beyond the initial time of application, ranging from days to weeks to months”). Such claims only are allowed if approved by EPA and “supported by acceptable studies demonstrating satisfactory residual efficacy,” consistent with agency guidance issued in October 2020.

EPA’s updated advisory also expands on, and somewhat shifts, the agency’s discussion of pesticide “devices” (e.g., UV lights, ozone generators, and other instruments that use physical or mechanical means to control pests, including viruses and other germs) that claim to kill the coronavirus. Unlike chemical pesticides, devices are not required to be registered by EPA and, therefore, are not scrutinized by the agency to ensure they are safe to use or work as intended. [Note that devices must meet other EPA requirements, including being labeled with an “EPA Establishment Number” to identify the facility at which the device was produced, and not being marketed with “false or misleading” claims.] While EPA does not review efficacy data for these products, manufacturers must have on file adequate substantiation for the claims they make. Interestingly, the May 2020 advisory noted that “devices may not be able to make claims against coronavirus where devices have not been tested for efficacy or safety for use against the virus causing COVID-19 or harder-to-kill viruses.” This language has been replaced in the January 2021 advisory with a more general reminder that

“[M]aking false or misleading labeling claims about the safety or efficacy of a pesticidal devices is prohibited and could result in the issuance of a Stop Sale, Use, or Removal Order and penalties ….”

In addition, on the litigation front, EPA continues to fight two novel challenges to the scope of the agency’s enforcement authority. In the first case (Zuru LLC v. EPA), filed in September, the company is challenging EPA’s determination that its cleaning wipes are an unregistered pesticide, and blocking its importation, because the wipes contain an active ingredient found in a number of other EPA-registered disinfectants; of website statements made by third party resellers that the wipes are “disinfectants” and “kill germs”; and the product name “‘Bactive’ implies bacterial fighting properties.”

The second case, Tzumi Innovations v. EPA, filed in December, similarly involves objections to EPA’s designation of the company’s hand wipes (typically for use on the human body and an FDA-regulated product) as an unregistered pesticide and a threatened Stop Sale, Use, Or Removal Order (SSURO). EPA filed a new brief in that case on February 3 asserting that the matter is not ripe for review and, substantively, that the wipes are properly considered pesticides because they are being marketed for use on surfaces.

Both challenges provide a reminder of the extensive scope of EPA’s FIFRA authority, including over products that do not explicitly make antimicrobial claims, but imply such effectiveness through other statements or based on the presence of certain active ingredients. For a more detailed discussion, see my prior blog post.

A copy of EPA’s updated COVID Compliance Advisory “What You Need to Know Regarding Products Making Claims to Kill the Coronavirus Causing COVID-19″ is available here.

COVID-19 has brought a proliferation of products claiming to kill or otherwise inhibit viruses, bacteria and other germs. These products, before they can be legally sold, are heavily regulated by the U.S. Environmental Protection Agency (EPA), Food and Drug Administration (FDA), and sometimes both. Major enforcement actions are pending against companies making illegal claims or selling unregistered products. Meanwhile, the FTC regulates advertising of many sanitizing products and the agency has pursued enforcement on companies that overstate their products’ germ-killing performance.

Please join us for a webinar covering the basics of germ killing and related product claims.

Discussion topics include:

• The regulatory landscape: Who regulates what – EPA, FDA and FTC jurisdiction and requirements
• What can you say and when can you say it
• Potential liability and enforcement considerations
• What to do if you receive a warning letter or other enforcement action

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Early Action in Cases Against Public-Facing Businesses

Public-facing businesses—such those in the retail, travel and hospitality industries—have been the first to re-open and are currently navigating a patchwork of state guidelines on how to do so safely. Compounding this burden, these same companies are facing a wave of lawsuits by customers and employees alleging negligence, breach of contract, and unfair business practices during the pandemic.

These industries are not new to class action litigation and many companies have included arbitration clauses and class arbitration waivers in their consumer contracts. These defendants have, not surprisingly, moved to compel arbitration, and plaintiffs have responded with unique (but likely ineffective) allegations of unconscionability, fraud and duress to try to stay in court. For example, in a case against Amazon, the plaintiffs alleged that the arbitration agreement was unconscionable because they were under duress during the pandemic and were forced to purchase products from Amazon. Amazon’s response was based on the black-letter principle that unconscionability is measured at the time of contracting, and not at the time of the challenged conduct.

Other companies have focused on substance, arguing that they complied with their contractual obligations and that their customers have not suffered damages. For example, in the case of recurring monthly payments for fitness club memberships, defendants have argued that their membership agreements do not mandate refunds for temporary closures, and therefore plaintiffs who filed suit within days or weeks of the initial closure did so too quickly.

An Uncertain Road Ahead for Failure to Protect Claims

Not surprisingly, courts that have ruled on early motions to dismiss have come to different conclusions. For example, an Illinois state court denied a motion to dismiss by McDonald’s in a negligence suit brought by employees who claimed that the company did not provide sufficient training and personal protective equipment to protect them from coronavirus, and entered a preliminary injunction mandating social distancing training and mask-wearing policies. In contrast, a Missouri federal court dismissed similar claims by employees of a meat processing plant pursuant to the primary jurisdiction doctrine, deferring to the Occupational Safety and Health Administration (“OSHA”). These inconsistent results will likely lead to even more filings, as many plaintiffs will use this uncertainty as leverage to try to obtain favorable settlements.

Cruise passengers have similarly alleged that the cruise companies knew or should have known that coronavirus outbreaks were likely, and that they failed to take sufficient action even after infections were confirmed on board. The first such motion to dismiss challenging these was decided – and granted - on July 14, 2020, disposing of a series of what a California court called “Fear Cases” against Princess Cruise Lines. These plaintiffs did not actually contract coronavirus during their March 2020 cruise, but sought to recover damages for negligent infliction of emotional distress arising out of their alleged fear of contracting the illness. Applying U.S. maritime law, the court found that the plaintiffs failed to satisfy the necessary “Zone of Danger” test because they did not sufficiently allege that they were in immediate risk of physical harm. This decision could provide support to public-facing businesses on land.

To help alleviate the uncertainty facing businesses as they reopen, state and local governments have begun to enact liability protections for businesses related to the coronavirus pandemic. But, these measures can vary both within and across states, causing business to adopt strict nationwide policies to protect their employees and customers while also insulating themselves from liability. For example, a number of national retailers (such as Krogers, Target, and Best Buy) have started requiring customers to wear masks at all of their stores, even where local ordinances do not require them.

But even a seemingly-conservative approach carries some risk. In Pennsylvania, a number of individuals sued retailer Giant Eagle for complying with a Pennsylvania Secretary of Health Order requiring customers to wear face coverings in retail stores. The complaint and subsequent motion for a preliminary injunction alleges that the policy violates both the Americans with Disabilities Act and the Pennsylvania order itself, which exempts individuals who are unable to wear a mask due to a medical condition. Giant Eagle’s response outlined the numerous efforts the retailer took to accommodate those with disabilities (including enhanced curbside service, home delivery and on-the-spot personal shopping) and emphasized the public health justification for the policy. Giant Eagle also pointed to social media evidence suggesting that one lead plaintiff did not suffer from a disability at all, and that his aversion to wearing a mask was political rather than medical. As more businesses adopt a uniform mask requirement, and as the issue becomes more politicized, we expect these types of claim to proliferate.

Given the uncertainty that lies ahead, companies should adopt and enforce reasonable and appropriate policies, and carefully document any incidents that could lead to claims that they failed to protect (or failed to accommodate) their customers and employees. Companies who take these steps will be better-positioned to prevail on the merits (or to reach an early settlement if desired).

The Price of Education

With the fall semester looming, many educational institutions are still reeling from the wave of class actions challenging universities’ decisions to close on-campus activities last spring. While student plaintiffs have an understandable point that online-only classes do not compare to the experience of being on campus, universities have moved to dismiss these claims on the grounds that there is often no contractual requirement guaranteeing the “college experience.” Force majeure clauses and contractual defenses of impossibility or impracticability often provide additional support for defendants’ arguments that they are substantially performing their obligations by providing virtual learning during the pandemic. Public universities have also relied on sovereign immunity and other procedural hurdles that plaintiffs must follow when suing state agencies.

At the same time, schools are struggling to define what classes will look like in the Fall, balancing the risk of potential spread of infection with the risk of additional litigation challenging remote learning. Schools are also facing new potential theories of liability—how to treat students (or teachers) who do not wish to return to campus.

Education-related class actions that survive the pleading stage face an interesting road to class certification. Students take different courses and utilize the resources on campus to different degrees. Students may place a different value on “in-person classes,” and some students may even prefer an online learning experience. Thus, satisfying the predominance requirement of Rule 23 will be particularly challenging. Moreover, constructing a class-wide damages model that fits plaintiffs’ theory of liability will be nearly impossible because it raises ambiguous, and perhaps philosophical, questions about the true “value” of education.

All of these COVID-related class actions raise fascinating and novel legal questions that courts will have to deal with in the not-so-distant future. We will be following these cases closely and continue to report on significant developments. For a more in-depth treatment of these cases and for a comprehensive collection of case citations, click here.

In conjunction with the launch of the our Advertising and Privacy Law Resource Center, we have been holding a series of webinars in 2020. Please join us next week for:

Cleaning Up From 2020: Guidance for Disinfectant, Germ and Virus Killing Claims July 29, 2020

California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet July 30, 2020

We have created checklist of general tips to help companies navigate return-to-work privacy and data security issues. In addition to designing COVID-19 testing and screening data collection programs that fit local and state reopening conditions, companies may also wish to consult key sources of federal guidance, including the following:

• EEOC’s Coronavirus and COVID-19 page, which links to guidance on complying with disability protection and non-discrimination obligations.
• OSHA’s COVID-19 site, which contains a broad array of enforcement guidance, general and industry-specific reopening guidelines, and other resources.
• The CDC’s reopening guidance for businesses and workplaces.

• Kelley Drye's COVID-19 Response Resource Center
• Advertising and Privacy Law Resource Center
• Kelley Drye’s Advertising Law Practice Page
• Ad Law Access Blog
• Ad Law Access Podcast
• Ad Law News and Views Newsletter
• Upcoming webinars:
  • Product and Earnings Claims in the Time of COVID-19
  • Trade Association Antitrust 101
  • Additional webinars will be announced soon

For some of these products, those claims have not been reviewed or accepted by EPA and, therefore, may present a risk to consumers, and healthcare providers in particular.

Earlier this year, EPA issued a list of disinfectants (“List N”) that meet the agency’s criteria for use against the coronavirus (SARS-CoV-2, the strain of coronavirus that causes COVID-19). While the surface disinfectant products on List N have not been tested specifically against SARS-CoV-2, they are expected to work against the virus because they demonstrate efficacy against other viruses that are deemed harder-to-kill or another similar strain of coronavirus.

Please note that just because the product label states that it kills “99.5% of viruses,” this does not necessarily mean that it will kill coronavirus.

See my prior post on EPA enforcement activity in this area, as well as a more detailed description of EPA’s approval policy for products deemed effective against SARS-CoV-2.

EPA’s advisory is available here. List N can be found at: www.epa.gov/ListN.

Earlier this week, federal regulators continued their efforts to combat the spread of products featuring allegedly false and misleading claims that products can diagnose, treat, cure, or prevent COVID-19. In warning letters issued to CBD Gaze, Alternavita, Musthavemom.com, and Careful Cents LLC, the agencies identify the respective recipients as participants in the Amazon Affiliate program. Amazon Affiliates are marketers who earn commissions by promoting products sold on Amazon. The letters state that the products at issue, which include essential oils, grapefruit seed extracts, cod liver oil, and others, feature false treatment and prevention claims such as the following:

• CBD Gaze: “Find the best CBD Oil to help fight Coronavirus.”
• Alternavita: “4 Proven Ways To Protect Yourself Against Coronavirus,” you represent that “Everyone is concerned about Coronavirus and looking for ways to protect themselves,” and then state the following:

“Grapefruit Seed Extract If you want a little extra daily protection GSE is a safe antibiotic . . . [Amazon associate link].”

• Musthavemom.com: “NATURAL REMEDIES FOR CORONAVIRUS. . .There are plenty of things you can do to boost your immune system and fight off any virus including coronavirus. Here are a few!” … “2. Vitamin D . . . This important vitamin plays a crucial role in immune health. Being deficient in Vitamin D can increase your risk of infection. I recommend this brand of Vitamin D [Amazon associates link] and starting at a minimum dose of 5,000 IU.” [from your website https://musthavemom.com/coronavirus-prevention-treatment-plan/]
• Careful Cents LLC: “How to Boost Your Immune System Naturally With Essential Oils to Fight Coronavirus” you state: “Can you use essential oils to boost your immune system and fight coronavirus? Yes! Essential oils are one of the best tools to strengthen your immune system naturally . . .”

The letters state that the products are unapproved new drugs and misbranded pursuant to the Food Drug and Cosmetic Act. Causing the introduction or delivery for introduction of these products into interstate commerce is prohibited under sections 301(a) and (d) of the FD&C Act, 21 U.S.C. § 331(a) and (d). The letters also state that “it is unlawful under the FTC Act, 15 U.S.C. 41 et seq., to advertise that a product can prevent, treat, or cure human disease unless you possess competent and reliable scientific evidence, including, when appropriate, well-controlled human clinical studies, substantiating that the claims are true at the time they are made. For COVID-19, no such study is currently known to exist for the product identified above. Thus, any coronavirus-related prevention or treatment claims regarding such product are not supported by competent and reliable scientific evidence.”

What’s the lesson? The difference between these letters and the warning letters that FDA and the FTC issued earlier this year is that these are targeted not to the company making the product or even the retail platform on which they are sold. They were sent to the middleman marketer, who likely does not produce or possess the product, but who is promoting and profiting from its sale. This is consistent with the FTC’s letters to product influencers in other marketing contexts but is a departure from FDA’s typical enforcement approach. Although we have seen FDA pursue retailers (particularly online ones), FDA has not made pursuit of marketing affiliates a priority. Clearly, regulators want affiliate marketers (Amazon or otherwise) to understand that they are not immune from enforcement if they are making aggressive or unsubstantiated health claims.

While both measures similarly require “affirmative express consent” prior to most processing of personal information for COVID-19 purposes, notice prior to using the data, reporting requirements, and destruction after data use, the bills vary in many other respects. Some differences between the Republican and Democratic bills include preemption, enforcement authority, and civil and voting rights protections.

Perhaps the most material distinctions focus on preemption and enforcement – a common theme in federal privacy legislation. These areas continue to be sticking points between the parties in discussions regarding privacy legislation. While both measures allow for FTC and state attorney general enforcement, the Democrats’ bill also provides for a private cause of action, which would allow for damages between $100 and $1000 per negligent violation, and $500 and $5000 per reckless, willful, or intentional violation. And while the Republican measure expressly preempts any similar state measure, the Democratic measure expressly does not.

The Democratic measure also addresses other concerns regarding using health data for COVID-19 purposes where the Republican bill is silent. Specifically, the Democrats’ bill expressly prohibits the use of emergency health data for advertising or discriminatory purposes. The bill also requires the Secretary of Health and Human Services to work with both the U.S. Commission on Civil Rights and the FTC to submit a report examining how the collection, use, and disclosure of COVID-19 health information impacts civil rights issues.

In addition, the Democrats’ bill prevents government entities from restricting the right to vote based on an individual’s: (1) participation or non-participation in a program to collect emergency health data; (2) medical condition; or (3) emergency health data itself.

As with Congress’s debate over comprehensive federal privacy legislation, COVID-19 privacy legislation may come down to similar disputes over enforcement and preemption. Whether the parties will be able to agree on these issues as they apply in a more limited capacity remains to be seen.

As of April 30, 2020, more than 150 class actions have been filed directly relating to or stemming from the pandemic. Tens of millions of individuals have filed for unemployment, and the plaintiffs’ bar is eager to “help.” No amount of social distancing, and no impending treatment or vaccine, can insulate companies from the threat of class litigation.

While the specific factual circumstances underlying these claims are novel, the types of claims being asserted – and the jurisdictions where such actions are being filed – are not. Companies should stay on top of the following pandemic-related class action trends and, wherever possible, get ahead of or try to prevent the additional strain of a class action during these already difficult times.

Pandemic-Related Refunds

Millions of people throughout the United States hope to receive refunds for events and services that have been cancelled or postponed as a result of coronavirus-related bans on large gatherings, stay-at-home orders and travel restrictions. The strength of these cases will ultimately turn upon the specific cancellation, force majeure and limitation of liability clauses in the relevant contracts, with courts turning to common law doctrines of impossibility and impracticability where the contracts do not address these specific issues.

Rapid and widespread event cancellations have understandably tested companies’ abilities to fulfill their obligations. For many companies that act as intermediate platforms for transactions—such as tickets to events and rental of vacation properties—handling refunds on such a scale is not manageable or even possible given that money consumers pay is often forwarded to venues, festival promoters and other clients, who often control potential rescheduling. These circumstances have led to a series of class action lawsuits against ticket sellers, educational institutions, subscription fitness, sport, and health companies, and ski areas and theme parks who offer season ticket memberships.

Getting there can be difficult too. While air travel has not been suspended entirely, cancellations and postponements, and general advisories against “non-essential” travel, have stretched airlines’ cancellation policies. There has been a surge of litigation against nearly every major airline concerning refund policies during the pandemic.

Companies not only must navigate how to deal with existing liability, but how to reopen their business and charge their customers who return balancing compliance with written policies, supporting their customers and maintaining a good public image, and remaining financially solvent. Examination of potential ways to maintain cash-flow, through government incentives, customer credits against future transactions, and other means, is an important first step.

Negligence in Addressing the Threat of Coronavirus

Class actions have also been filed alleging negligence and inaction to respond to and prevent harm arising from the coronavirus pandemic. Thus far, these actions have largely been focused on cruise lines, alleging that the ships maintained business as usual despite increasing knowledge of the danger posed to passengers and crew, but it is easy to imagine additional lawsuits against companies that continued operations as the coronavirus spread (or were forced to continue throughout the shutdown). It is also expected that similar allegations will arise as the economy reopens and people resume their normal activities. Companies must design and implement a careful plan to minimize risk when they resume operations—by not opening too soon, providing adequate protective equipment and training to staff, and effectively warning customers of ongoing risks despite the business reopening.

False Advertising of Health Benefits

With consumers anxiously seeking products that can help them protect themselves during this public health crisis, it is important that companies are mindful of claims that may potentially overstate the effectiveness of a given product in treating or preventing the virus. A number of companies have already seen warning letters from federal agencies or class action lawsuits concerning the alleged lack of evidence that hand sanitizers can effectively prevent the spread of disease, including coronavirus. These lawsuits, asserting claims for consumer warranty and unfair competition, will likely spread from hand sanitizers to other products. It is unclear how courts will evaluate the objective “reasonable consumer” under present circumstances. Thus, companies should closely examine their existing advertising claims (both express and implied) to ensure they are not misleading in light of the “new normal.”

Price Gouging

Another area where class actions have been slow to file, but are expected to increase, is price gouging. The pandemic has caused sharp spikes in demand for disinfecting products, basic necessities, and essential food staples and empty shelves—both in brick and mortar stores as well as online shops—have increased consumer’ willingness to pay a premium for these types of products. While there is no federal law with strict guidelines for price gouging, more than half of the states have laws the prohibit charging excessive prices on certain products after a triggering event, such as a declaration of a state of emergency. Companies should closely monitor the prices they charge, both during the crisis and after it resolves, to ensure that any increases to their prices comply with applicable law. And while third party sellers like Amazon may be able to pass liability through to the ultimate seller in certain circumstances, it may be wise to actively monitor the pricing activities of their sellers and try to curb price gouging activity before getting hit with litigation.

Privacy

To alleviate the pains of social distancing, companies, schools, and families have turned to video conference apps to stay connected. As usual, with increased popularity comes increased scrutiny and, unfortunately, increased litigation.

Popular videoconferencing apps Zoom and Houseparty have already been hit with several class actions challenging their privacy practices. Not surprisingly, these actions have been filed in California, where the California Consumer Privacy Act (“CCPA”) went into effect earlier this year. While the CCPA only provides for a private right of action under limited circumstances, these actions demonstrate consumers’ ability—or at least attempt—to use other provisions of the CCPA as underlying statutory violations to support other California consumer protection claims, such as California’s Unfair Competition Law.

Technology companies whose platforms have seen a surge in popularity during the pandemic should closely monitor potential vulnerabilities and reexamine privacy protections that may no longer be adequate in this new virtual economy.

Securities Class Actions

Shareholder class actions have also been filed challenging both affirmative representations and omissions relating to the pandemic. These include actions against cruise lines that allegedly downplayed the risk of coronavirus to investors, pharmaceutical companies that allegedly overstated their ability to develop a treatment or vaccine, and technology companies that allegedly withheld privacy concerns that have come to light with increased use. These early cases illustrate why publicly traded companies must exercise great care when discussing their products and business both to the public and to their investors. It remains to be seen how defenses deflecting blame for decreases in stock prices to the pandemic (similar to those asserted in the wake of the mortgage crisis) will play out.

Conclusion

With court closures and delays throughout the country, the evolution of class action litigation relating to the coronavirus may take some time to come into focus. We expect the above described categories of cases to proliferate, and expand in scope as different issues arise from the reopening of the economy. We will continue to monitor these cases and provide regular updates as to the types of claims being asserted and any decisions that come out. For a more in-depth treatment of these cases and for a comprehensive collection of case citations, click here.

The bill imposes specific requirements on entities seeking to process precise geolocation data, proximity data, persistent identifiers, and personal health information (together, “covered data”) in association with COVID-19 mitigation efforts. Among other things, the Act would require:

• Notice/Consent: Prior notice and affirmative express consent for the collection, processing, or transfer of covered data to track COVID-19, monitor social distancing compliance, or for COVID-19 contact tracing purposes;
• Opt Out Rights: Giving individuals the right to opt out of such processing;
• Deletion Rights: Deleting or de-identifying all covered data once the entity is no longer using it;
• Data Processing Restrictions: A public commitment to limit the processing of the data, unless certain exceptions apply;
• Notice: Posting a clear and conspicuous privacy policy within 14 days of the Act’s enactment that provides information about data transfers, data retention practices, and data security practices; and
• Accountability: During the public health emergency, providing a bi-monthly public report identifying the aggregate number of individuals from whom the covered entity has collected, processed, or transferred covered data for COVID-19 purposes with additional detail about how and why that information was used.

Separately, the bill explicitly exempts covered entities from requirements under the Communications Act or regulations in relation to this processing. The bill also preempts any similar state law, although state attorneys general have enforcement authority along with the FTC.

Whether Congress will pass the measure is unclear, as Democrats and public interest organizations have voiced concerns about the bill. Still, assuming Congress can agree, it’s worth monitoring to see whether the measure may be included in any upcoming COVID-19 relief bill.

The FTC recently sent warning letters to companies for falsely claiming that their products can treat or prevent COVID-19. The latest episode of the Ad Law Access Podcast discusses the importance of keeping the current pandemic context in mind when making health claims more generally.

Listen on Apple, Google Podcasts, SoundCloud, Spotify, or wherever you get your podcasts.

For more information on these and other topics, visit:

• COVID-19 Response Resource Center
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Food and Drug Law Access
• Advertising and Privacy Law Resource Center
• Ad Law News and Views Newsletter

Six of the letters address both health and earnings claims, three address just earnings claims, and one addresses just health claims. Examples of allegedly deceptive health claims cited in the letters include:

• “Got the coronavirus heebeegeebees? Boost your immunity with this amazing deal!!!!”
• “… If interested to learn more or obtain oils or rollers Let me know A little extra protection can help #doterra #NursesCOVID19 #Dialysis #ImmunityBoosters #ImproveRespiratoryFunction”

Examples of allegedly deceptive earnings claims cited in the letters include:

• “Need to make extra money? Find it difficult to pay your bills? Were you laid off/ #fired? Be your own Boss w/doTERRA essential oils. Msg me to achieve financial independence #laidoff #unemployed #cantpaymybills #cantpaymyrent #student #sales #sidehustle #makemoney #stayathomemom.”
• “[E]veryone’s getting stimulus checks right now… There is no better investment you could do… Take that money that you’re about to get back… figure out a way to make this happen tonight.”

As a matter of longtime FTC precedent, the answer should be no, and the warning letters don’t go this far. But, the letters do underscore that the FTC is watching closely for any reference to COVID-19 or the pandemic, and MLMs and their participants should take note.

As business people, airport management, and event hosts everywhere try to figure out how they can return to business as usual, many are considering telethermographic device systems. These are cameras that can detect human temperature in comparison to their surroundings to help identify fevers. Reuters reported last week that Amazon implemented thermal cameras at its warehouses to scan for feverish employees. This has prompted many to wonder how telethermographic devices are regulated.

FDA helped answer this question last Friday. In its “Enforcement Policy For Telethermographic Systems During the COVID-19 Public Health Emergency,” FDA explains that use of such cameras to detect human temperature – even when used outside of a medical facility such as in an airport – may render the systems medical devices typically subject to pre-market clearance, registration, listing, and quality regulations. However, during the current pandemic, FDA is relaxing those regulations provided that the systems meet performance and labeling criteria.

The systems must be tested and labeled consistent with the following:

1) IEC 80601-2-59:2017: Medical electrical equipment – Part 2-59: Particular requirements for the basic safety and essential performance of screening thermographs for human febrile temperature screening; OR

2) Alternative performance specifications that provide similar results to IEC 80601-2-59:2017. The guidance lists several alternative standards.

FDA recommends labeling that includes the following:

1) A prominent notice that the measurement should not be solely or primarily relied upon to diagnose or exclude a diagnosis of COVID-19, or any other disease;

2) A clear statement that:

1. a) Elevated body temperature in the context of use should be confirmed with secondary evaluation methods (e.g., an NCIT or clinical grade contact thermometer);
2. b) Public health officials, through their experience with the device in the particular environment of use, should determine the significance of any fever or elevated temperature based on the skin telethermographic temperature measurement;
3. c) The technology should be used to measure only one subject’s temperature at a time; and
4. d) Visible thermal patterns are only intended for locating the points from which to extract the thermal measurement.

FDA also recommends labeling that explains the performance specifications, proper use, installation, and related technical considerations listed in the guidance.

Companies considering using these devices will want to keep in mind that FDA is likely to reinstate the regulatory requirements post-pandemic. When screening vendors, companies should consider whether the vendor will be able and willing to comply with the medical device standards once the economy has re-opened to a significant degree.

In addition, this technology raises employee and consumer privacy issues. Prior to using it, companies should consider applicable laws and policies around notice to the public or employees, capturing such data, potentially storing or sharing it.

The Warning Letters

The agencies identified the three VoIP gateway providers as the sources of the illegal calls through the efforts of the USTelecom Industry Traceback Group, a consortium of phone companies that help officials identify potentially unlawful calls. The phone companies used a process known as “traceback,” in which they share information to trace unlawful spoofed robocalls to their origination.

In the letters, the agencies reminded the companies that the COVID-19 scam robocalls are in fact illegal and directed them to cease transmitting the traffic immediately, as the calls have “the potential to inflict severe harm on consumers.” The letters warned the companies that if they did not stop transmitting the identified traffic within 48 hours, the FCC would authorize other U.S. voice providers to block all calls from the companies and take any other steps necessary to prevent transmission of the calls. The agencies also sent a separate letter to USTelecom advising the trade association that, if the VoIP providers do not block the traffic, the FCC will authorize other U.S. service providers to block all calls coming from that gateway and will take other actions as necessary to authorize U.S. service providers to block traffic from the originating entities. In addition, the FCC encouraged other service providers to take immediate action to block unlawful calls pursuant to existing legal authority.

This action is a significant – and significantly aggressive – new approach by the agencies. While both agencies have taken actions to prevent and deter unlawful robocalls, the threat to block traffic from the originating carrier is a new tactic in the fight against unlawful calls. Notably, it is not clear under what authority the FCC can or would order the blocking of all traffic from the subject VoIP gateway providers if they failed to block the allegedly unlawful robocalls. The letter does not cite any provision of the Communications Act that would authorize such blocking. Moreover, existing FCC orders relating to call blocking have authorized only limited call blocking practices that were optional for the carriers. Were the FCC to order such blocking (and to make it mandatory), it appears that such action would be the first of its kind by the agency.

Briefly, we will review the agencies’ recent history with anti-robocall activities.

The Educare Services Enforcement Action and Prior FTC Warning Letters

In the three letters to the VoIP gateway providers, the FCC and FTC reference the FTC’s recent enforcement action against VoIP provider Globex Telecom. This action relied upon provisions of the FTC’s Telemarketing Sales Rule (“TSR”), which addresses calls made for a telemarketing purpose. In December 2019, the FTC obtained a preliminary injunction against Educare Services and Globex Telecom Inc. for robocalling consumers to promote allegedly fraudulent credit card interest rate reduction services. The FTC complaint alleges that Globex played a key role in “assisting and facilitating” the illegal credit card interest rate reduction services Educare promoted by providing Educare with the means to call consumers via interconnected VoIP communication services and facilities. For a VoIP company to be liable under a TSR “assisting and facilitating” theory, the FTC must prove that the company “knew or consciously avoided knowing” the robocall campaigns violated the TSR.

A week before the joint letters, the FTC sent letters to nine VoIP service providers and other companies warning them that “assisting and facilitating” in the transmission of illegal COVID-19-related telemarketing or robocalls is unlawful. The agency also sent letters to nineteen VoIP service providers in January with a similar warning about all illegal robocalls.

FCC TRACED Act Implementation and the STIR/SHAKEN Mandate

Like the FTC, the FCC recently shifted its focus in robocall enforcement towards the originating carriers. On February 4, 2020, the FCC’s Enforcement Bureau sent letters to seven VoIP gateway service providers, notifying them that unlawful robocalls had been traced to their networks and asking for their assistance in tracking down the originators of the calls. Although no enforcement action was threatened at the time, the FCC also asked each provider to detail their anti-robocall efforts to the Commission.

More recently, the FCC took several steps in implementing the TRACED Act, which requires the FCC to initiate several near-term rulemakings and other actions aimed at addressing unlawful spoofing and robocalling operations. On March 27, the agency adopted a Report and Order and Further Notice of Proposed Rulemaking establishing rules for the registration of a single consortium to conduct private-led “traceback” efforts, which is expected to formalize the relationship with the USTelecom Industry Traceback Group. Additionally, on March 31, the FCC adopted a separate Report and Order and Further Notice of Proposed Rulemaking mandating that originating and terminating voice service providers implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. STIR/SHAKEN—the technology framework behind the “traceback” process—allows providers to verify that the caller ID information transmitted with a particular call matches the caller’s number as the calls are passed from carrier to carrier. FCC Chairman Pai previously urged major providers to adopt STIR/SHAKEN technology voluntarily and warned that the voluntary approach would become a mandate if the providers did not move fast enough. Still to come are comments on a “know your customer” obligation for service providers and rules to deny access to numbering resources to originators of unlawful calls.

As we have previously noted, the TRACED Act also requires the implementation of an alternative call authentication framework in non-IP networks, extends the FCC’s statute of limitations for bringing some illegal robocall enforcement actions, and eliminates the requirement to give warnings before issuing certain filings.

Takeaways

These letters, coupled with the recent activity by the FTC and FCC to combat illegal robocalls, signal the agencies’ desire to cause a meaningful reduction in unlawful calling, and in particular, demonstrate a desire to prevent scammers from taking advantage of the COVID-19 crisis to carry out their deceptions. Both agencies can seek civil penalties and take other actions necessary to prevent the proliferation of these calls.

Importantly, the targets of agency action are not necessarily limited to the entities that place the unlawful calls. These federal actions are a good reminder for VoIP and other service providers to assess whether their customers’ practices may indicate unlawful use of VoIP or other services. With the warning letters, and now these blocking letters, the FCC and FTC increasingly are showing an openness to pursuing penalties under vicarious liability theories. If there are facts that support knowledge of the unlawful activity or “red flag” type practices (such as a customer being the target of multiple third party government subpoenas, among other facts), that’s a good indication that further steps by the VoIP provider may be warranted to mitigate the risk of facing an enforcement action by the FTC or FCC. If you have questions about how these enforcement trends and related risk factors are relevant to your business, please contact your Kelley Drye counsel.

As consumers look for refunds, many businesses are reviewing their policies to determine whether there are creative ways they can stop cash from going out the door. On March 12, for example, StubHub announced that consumers had the option of either getting a refund for a cancelled event or a coupon for 120% of the original ticket price. Apparently, the option was well-received, and many consumers opted for the coupon.

On March 25, StubHub changed the terms of its policy and limited the availability of the option, stating that “if the event is canceled and not rescheduled, you will get a refund or credit for use on a future purchase, as determined in StubHub’s sole discretion (unless a refund is required by law).” Other communications omitted that parenthetical, suggesting that all consumers would get a coupon, rather than a refund.

It only took about a week for the first lawsuit to be filed. In a class action filed in Wisconsin federal court, a plaintiff argues that by retroactively changing its refund policy, StubHub breached its contract with consumers and violated California false advertising laws. Among other things, the plaintiff is asking for refunds for class members, which could exceed $5 million.

Lawmakers are looking at this, too. In February, the House Energy and Commerce Committee invited representatives from six companies to a hearing to discuss issues in the live event ticket industry. And this month, Committee Chairman Frank Pallone called on companies in the industry “to fully reimburse all consumers affected by canceled or postponed events,” rather than issue credits.

Although it’s too early to tell how this issue will play out, there is likely to be scrutiny on how companies handle refunds across a range of industries. If you are considering changes to your refund policy, think carefully about what promises you’ve made to consumers and whether your terms provide flexibility for changes. Saving money on refunds can be a good thing, but those savings have to be balanced against the legal and reputational costs of a bad decision.

For example, Massachusetts issued an emergency regulation that prohibits creditors from making unsolicited debt collection telephone calls to Massachusetts consumers for the next 90 days, unless the state of emergency ends before that time. The regulation also prohibits collectors from

• filing any new collection lawsuit;
• garnishing wages, earnings, properties or funds;
• repossessing vehicles;
• applying for or serving a capias warrant;
• visiting or threatening to visit the household of a debtor;
• visiting or threatening to visit the place of employment of a debtor;
• confronting or communicating in person with a debtor regarding the collection of a debt in any public place.

First-party collectors and debt collectors should consider the Massachusetts and Nevada initiatives before contacting consumers in those states, and continue to monitor whether other states follow suit with similar restrictions.

Personal information — some of which may be highly sensitive — is key to many of these efforts. Although some regulators in the U.S. and abroad have made it clear that privacy laws and the exercise of enforcement discretion provide leeway to process personal information in connection with COVID-19, they have also made it clear that privacy laws continue to apply. Federal Trade Commission (FTC) Chairman Joe Simons advises that the FTC will take companies’ “good faith efforts” to provide needed goods and services into account in its enforcement decisions but will not tolerate “deceiving consumers, using tactics that violate well-established consumer protections, or taking unfair advantage of these uniquely challenging times.” And, with many eyes on the California Attorney General’s Office in light of recent requests to delay enforcement of the California Consumer Privacy Act (CCPA), an advisor to Attorney General Xavier Becerra was quoted as stating: “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Devoting some thought to privacy issues at the front end of COVID-19 projects will help to provide appropriate protections for individuals and address complications that could arise further down the road. This post identifies some of the key privacy considerations for contributors to and users of COVID-19 resources.

1. Is Personal Information Involved?

Definitions of “personal information” and “personal data” under privacy laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR) are broad. Under the CCPA, for example, any information that is “reasonably capable of being associate with, or could reasonably be linked” with an individual, device, or household is “personal information.” This definition specifically includes “geolocation data.” Although some data sources provide COVID-19-related information at coarse levels of granularity, e.g., county, state, or national level, the broad definition of “personal information” under the CCPA, GDPR, and other privacy laws makes it worth taking a close look at geographic and other types of information to determine whether the data at issue in fact reasonably qualifies as “personal information,” or if it is sufficiently anonymized to meet privacy definitions of de-identified and/or aggregate data. CCPA, HIPAA, and other privacy laws provide examples of what safeguards are expected to reasonably treat data as anonymized, and employing such standards can help avoid unnecessary privacy mishaps despite well-intentioned efforts.

2. What Level(s) of Transparency Are Appropriate About the Data Practices?

Although some COVID-19 tools may be exempt from statutory requirements to publish a privacy policy (e.g., the provider of the tool is not a “business” under the CCPA), there are still reasons for providers to explain what data they collect and how they plan to use and disclose the data:

• Disclosures help individuals to reach informed decisions about whether they want to provide their data, e.g., by downloading an app and allowing it to collect their location and other information. If business practices and consumer expectations are not reasonably aligned around the data practices, the failure to provide an appropriate privacy notice could be deemed an unfair or deceptive practice, inviting the scrutiny of the FTC or State Attorneys General.
• Developing a privacy policy (or other disclosure) can help provide internal clarification on what types of personal information (or not) an app or service needs and collects. A granular understanding of such data practices can help providers to identify and mitigate privacy and data security risks associated with such data practices.
• Developing a disclosure about a provider’s data collection and usage can help clarify the decision-making structure among multiple stakeholders so that the group is better equipped to handle data governance decisions over the lifecycle of a project.

Although much remains to be seen in how federal, state, and local governments will use personal information (if at all) to develop and implement strategies to slow the spread of coronavirus, it is not unreasonable to expect that government agencies will seek information from providers of COVID-19-related tools. The extent to which a provider can voluntarily provide information to the government — as well as the procedures that the government must follow to compel the production of information (and maintain the confidentiality of it in personally identifiable form) — depends on several factors, including what kind of information is at issue and how it was collected. Becoming familiar with the rules that apply to voluntary and compelled disclosures, and safeguards to help prevent such data from being subject to broad freedom of information laws, before a request arrives can help save valuable time down the road. In many of these scenarios, for example, aggregate or pseudonymous data may be sufficient.

4. What Considerations Are There for Licensing COVID-19-Related Personal Information?

Finally, any licensing of personal information in connection with COVID-19 tools deserves careful consideration, particularly if the CCPA applies. The CCPA imposes notice and opt-out requirements on entities that “sell” personal information. “Sell” is defined to include disseminating, disclosing, or otherwise “making available” personal information to for-profit third parties in exchange for “monetary or other valuable consideration.” Several types of open source licenses require users to accept certain restrictions on their use and/or redistribution of licensed data or software. For example, the Creative Commons Attribution-NonCommercial 4.0 International license requires licensees to agree (among other conditions) not to use licensed content for commercial purposes. Obtaining this promise in exchange for personal information could constitute “valuable consideration” and give rise to a “sale” under the CCPA. In addition, while not a “sale,” sharing personal information with a government authority would qualify as a disclosure under CCPA and would need to be accurately disclosed in the privacy policy.

Neither the California Attorney General nor the courts have interpreted the CCPA in the context of open source licenses. Until more authoritative guidance becomes available, it makes sense to think through the potential obligations and other consequences of applying and accepting specific license terms to COVID-19-related personal information.

Bottom line: Personal information has a key role to play in shaping responses to the novel coronavirus. Privacy laws remain applicable to this information. Applying privacy considerations to COVID-19 related practices involving data collection, sharing, and analysis will help mitigate unnecessary harms to consumers, aside from those presented by the virus itself.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

Representations About Shipping Dates The Mail Order Rule requires that when you advertise merchandise, you must have a reasonable basis for representations about timing for shipping. If you provide no shipping date, you must have a reasonable basis for believing that you can ship within 30 days. Particularly in these times of uncertainty, companies may choose to use a shipping date that is further out than what they would reasonably anticipate in typical circumstances.

Initial Delay Notice If you cannot ship the merchandise by the promised time frame or within 30 days, you must notify the customer and give the option to cancel the order and obtain a full and prompt refund.

If you know when you can expect to ship the merchandise, the initial delay notice must contain: (1) the revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that a customer’s non-response is a consent to the delay.

If you cannot provide a revised shipping date, the initial delay notice must contain: (1) the reason for the delay and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time before shipment.

Subsequent Delay Notices Given the current unpredictability around supply chains and distributions, companies may be unable to ship by the date included in the initial delay notice. If that occurs, prior to that date, you must send a “renewed” delay notice. Although this notice must include much of the same information as the initial delay notice, a customer must expressly consent to further delay.

A renewed delay option must include information about: (1) a revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that, unless the customer agrees to wait beyond the most recent definite revised shipment date and the company has not shipped by then, you will automatically cancel the order and issue a prompt refund.

If you cannot provide a new definite revised shipping date, the notice must include: (1) the reason for the delay; and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time until shipment.

Instead of sending a delay notification, you can cancel the order and send a refund, as long as you notify the customer and send the refund within the time you would have sent the consent notification.

Exemptions to the Rule Not all merchandise is subject to the Mail Order Rule. For example, products such as monthly gift clubs, subscription boxes, and magazine subscriptions are exempt, although because the FTC could still challenge practices allegedly unfair or deceptive, we recommend taking reasonable steps to notify consumers about shipping delays and to offer options for cancellation and perhaps a refund.

Enforcement The FTC can extract large civil penalties for violations of the Mail Order Rule: up to $43,280 per violation plus consumer redress. For example, in FTC v. DiscountMetalBrokers, Inc., a court ordered DiscountMetalBrokers to pay over $6 million for violations of the FTC Act and the Mail Order Rule. The FTC has also levied fines of over $800,000 in settlements related to alleged Mail Order Rule violations.

* * *

The Mail Order Rule imposes very specific requirements that companies should navigate carefully, COVID-19 or not. As companies face shipping and distribution disruptions, appropriate notice to customers as delays become known will avoid Mail Order Rule violations and enforcement.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

Update: Our article, Top FTC Rules and Guides You Should Keep in Mind, and other mail order rule blog posts may also be useful.