Federal Efforts

American Privacy Rights Act

Last week, the House Energy and Commerce Committee abruptly canceled a scheduled markup of the latest American Privacy Rights Act (APRA) discussion draft, Congress’s most recent comprehensive privacy proposal. Some privacy advocates welcomed the cancellation, strongly opposing the removal of AI and civil rights protections in the latest draft. These protections included prohibitions against algorithmic discrimination and requirements for transparency and impact assessments for AI systems.

At present, it seems APRA may not advance as far as the 2022 American Data Privacy and Protection Act, which was passed out of the Energy and Commerce Committee but ultimately never received a floor vote. With the August recess and October break ahead of the November elections approaching, the likelihood of any comprehensive privacy legislation reaching the House floor this year seems dim. However, we will continue to monitor these federal legislative efforts and their potential impact on AI providers.

White House Executive Order

Last year, the White House released the federal government’s first comprehensive guidelines regarding AI. Although the Executive Order focuses almost entirely on the government’s own use of AI, the ultimate effects of the order will be significant for private sector businesses engaging with federal agencies.

Pursuant to the Executive Order, on April 29, 2024, NIST released a draft risk management profile specifically addressing generative AI. The Generative AI Profile—which is intended as a companion resource to NIST’s AI Risk Management Framework—offers voluntary best practice guidance regarding the design, deployment, and operation of generative AI systems. As states continue to draft AI legislation, the NIST AI Risk Management Framework will likely continue to serve as an instructive reference point for legislators across the country.

State Legislation

Colorado AI Act

The Colorado AI Act, SB 205, is now set to take effect February 1, 2026, although the freshly-signed law is already slated for revisions: in a recent letter, Gov. Jared Polis, AG Phil Weiser and Senate Majority Leader Robert Rodriguez acknowledged that “a state by state patchwork of regulation” on AI poses “challenges to the cultivation of a strong technology sector” and promised to engage in a process to revise the new law to “minimize unintended consequences associated with its implementation.”

As drafted, the law introduces new obligations and reporting requirements for both developers and deployers of AI systems. Key requirements include:

• Transparency. Moving forward, any businesses that use AI systems to interact with consumers must disclose this fact during consumer interactions.

• Algorithmic Discrimination in High-Risk AI Systems. The new law seeks to combat “algorithmic discrimination,” where the use of AI results in outcomes that disfavor consumers based on several personal and sensitive data categories. High-risk AI systems are defined as systems used to make decisions about individuals in the areas of education, employment, finance or lending, government services, healthcare, housing, insurance, and legal. Developers and deployers of such systems have a duty to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination, and the law identifies specific obligations such entities must undertake.

• Consumer Notice, Correction, and Opt-Out Rights. Consumers must be notified when high-risk AI systems are used to make any decisions about them in the areas outlined above (e.g., education, employment, etc.), and must have the right to correct inaccurate data and appeal the decision to a human reviewer.

• Existing Obligations Under the Colorado Privacy Act (CPA). Deployers must also respect the existing rights of consumers under the CPA, including the right to opt-out of the processing of personal information for profiling with legal or similarly significant effects concerning the consumer, including decisions made using AI. In April, Colorado amended the CPA’s definition of sensitive data to include both biological and neural data used either in insolation or in combination with other personal data elements for identification purposes. The CPA additionally creates AI-related disclosure obligations, requiring businesses to provide privacy policy language that details the personal data categories used for profiling, a plain-language explanation regarding the AI logic in use, explanations describing its benefits and potential consequences, and text explaining whether the system has been evaluated for accuracy, fairness or bias.

• Enforcement. The Colorado attorney general has sole authority to enforce the Colorado AI Act, and the law includes no private right of action. Violations are considered breaches of Colorado's general consumer protection laws, which can result in a maximum civil penalty of $20,000 per violation. Notably, each violation is counted individually for every affected consumer or transaction. Consequently, just 50 impacted consumers could result in a maximum civil penalty of $1 million. Actions must be brought within three years of the violation occurring, or from the time when the violation was discovered.

We’ll keep an eye on whether all these requirements survive the revision process suggested above.

Utah Artificial Intelligence Policy Act

On May 1, 2024, Utah’s Artificial Intelligence Policy Act, SB 149, became effective. Generally, Utah’s legislature has pursued a far lighter touch to AI regulation than Colorado. Key takeaways include:

• Disclosure Upon Request. Most businesses and individuals will only be required to disclose the use of AI when prompted by a consumer.

• Disclosing the Use of AI in Regulated Professions. Businesses and individuals operating within regulated professions (e.g., healthcare professionals) must prominently disclose the use of AI before its use with customers.

• Responsibility for Generative AI Outputs. Companies are responsible for the outputs of their generative AI tools and cannot pass on blame if those tools violate Utah consumer protection laws.

Comprehensive State Privacy Laws

Twenty states have now passed comprehensive state privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These states, with the exceptions of Utah and Iowa, impose additional requirements on companies engaging in “profiling,” which is defined as the automated processing of personal data to analyze or predict something personal about an individual, such as one’s economic situation, behavior, health, or personal preferences. Under these laws, consumers must be able to opt-out of being profiled in a manner that could lead to a “legal effect” on that consumer or another “similarly significant effect.” Although a few of these laws are currently effective, the majority come into effect over the next few years. Here are the key dates to keep mind:

• Currently Effective. The comprehensive privacy laws in California, Colorado, Connecticut, Utah, and Virginia are currently effective.

• Effective in 2024. Florida, Montana, Oregon, and Texas have comprehensive privacy laws coming into effect in the next several months.

• Effective in 2025. Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee have enacted comprehensive data privacy laws that will become effective in 2025.

• Effective in 2026. Kentucky and Indiana have enacted comprehensive data privacy laws that will become effective on Jan. 1, 2026. The Rhode Island legislature also passed the Rhode Island Data Transparency and Privacy Protection Act, SB 2500 / HB 7787, on June 13, 2024. If signed, the law will also become effective on Jan. 1, 2026.

California Privacy Protection Agency Initiatives

The California Privacy Protection Agency is currently considering rules and engaging in pre-formal rulemaking stakeholder sessions regarding the use of automated decision making technology (ADMT). California defines ADMT as technology that collects, uses, retains or discloses personal information and either replaces or substantially facilitates human decision making. Algorithmic “profiling,” discussed above, is encompassed within this definition. Examples include resume-screening tools used by businesses to decide whether to interview applicants and analytics tools that place consumers into audience groups to further target them with advertising.

Businesses subject to the California Consumer Privacy Act (CCPA) and that use ADMT for “extensive profiling,” to make “significant decisions” regarding consumers, or that use personal information to train ADMT would be subject to new transparency and opt-out requirements. Behavioral advertising, the practice of tracking users’ online activities to deliver ads tailored to their interests, is included within the definition of “extensive profiling.” Further discussion regarding the terms “extensive profiling” and “significant decisions” can be found here. Businesses would be required to offer a pre-use notice informing consumers of how the company uses ADMT and of the individual’s CCPA opt-out rights.

Ongoing Legislative Efforts

Currently, a multitude of states, including New York, California, and Massachusetts, are working on proposed AI governance bills. In addition, new legislation in Illinois addressing AI usage currently awaits the Governor’s signature.

• California. The Assembly recently advanced multiple bills addressing AI usage. These bills include provisions prohibiting algorithmic discrimination and would establish new compliance and reporting requirements for AI providers. Additionally, these bills would require businesses to implement watermarking systems identifying AI-generated content and to publicize information regarding the methods used to train AI models.

• Illinois. On May 24, 2024, the Illinois legislature passed HB 3773, amending the Illinois Human Rights Act by adding new provisions regarding the use of predictive data analytics for employment and credit decisions.

Europe

The EU AI Act

On May 21, 2024, the EU Council unanimously passed the EU AI Act (AIA). Businesses, whether EU-based or not, should pay close attention to the upcoming changes for two reasons. First, the AIA applies to all providers of AI systems placed on the EU market, regardless of where the provider is located. Second, the penalties for non-compliance are some of the toughest in the world, allowing for fines up to €35 million EUR or 7% of a company’s annual revenue.

Broadly, the AIA creates a risk classification scheme, which places AI systems into one of several categories. The categories are:

• Unacceptable Risk. AI systems constituting an unacceptable risk are prohibited entirely. These include systems used to manipulate or exploit individuals, classify or evaluate individuals based upon their personal traits, and emotion-recognition systems used in workplace and educational contexts.

• High Risk. The AIA defines high risk systems as those presenting a significant risk to health, safety, or fundamental rights. Examples of AI systems falling under this category include those used in education, employment, healthcare, and banking settings. Providers of high-risk systems are subject to a number of strict regulations, including required registration in a public EU database. Additionally, providers of these systems must perform regular impact assessments and implement procedures that ensure transparency, security, and human oversight of their systems.

• Limited Risk. For systems posing limited risks, such as chatbots interacting with humans and AI-generated content, the AIA imposes transparency obligations to ensure humans are informed that an AI system was involved. Providers of AI-generated content must ensure it is identifiable as such.

• Minimal or No Risk. Minimal-risk AI uses, which present little to no risk to the rights or safety of individuals, can be freely used under the AIA. Examples include AI-enabled video games and spam filters. Most AI systems currently deployed are likely to fall under this category.

• General Purpose AI (GPAI). GPAI refers to AI systems trained on broad datasets capable of serving a variety of purposes. Popular examples include OpenAI’s ChatGPT and DALL-E programs. Providers of GPAI models are required to produce technical documentation and release detailed summaries of their training data. For GPAI models that present systemic risks, providers must also implement cybersecurity measures, mitigate potential risks, and perform evaluations that include adversarial testing.

We will continue to monitor these ongoing state, federal, and international AI legislative efforts and provide you with the latest updates to help you prepare for what lies ahead.

Summer Associate Joe Cahill contributed to this post

For followers of this blog and the FTC, the Guidance will ring familiar as another recent attempt by the FTC to declare law through guidance, analogous to the FTC’s revised Health Products Compliance Guidance in December 2022. Despite its length, the Guidance conspicuously omits any reference to last fall’s landmark decision in FTC v. Neora where the district court rejected many of the same theories that Staff now recasts as guidance, such as an amorphous prohibition against a “focus” on recruitment. As noted in our earlier coverage of the Neora decision (here), we expected the Commission to remain undeterred and regroup to lay the groundwork for future litigation—which the Guidance certainly appears to be issued with an eye toward.

Some of these principles were previewed in last month’s letters to the Direct Selling Association and the Direct Selling Self-Regulatory Council, which we discussed here. Others are more detailed and provocative pronouncements on longstanding issues; others appear at least somewhat new. We address a few highlights below but note that there is a lot to unpack here. While the legal standard for pyramiding has never been black and white and has always been fact-specific, the Guidance muddies the water further – at least as to the FTC’s perspective of the law – by appearing to diminish the importance of retail sales validation and differentiation between distributors and customers, both practices that the FTC has long encouraged and required as injunctive relief in the Herbalife settlement.

Injecting Further Uncertainty Into Pyramiding

• No safe harbors for retail sales; repudiating the “primarily” test. Echoing comments made in last month’s letter to DSA, the Guidance repeatedly states Staff’s view that there are no safe harbors to avoid classification as a pyramid scheme, including where even the vast majority of an MLM’s revenue comes from retail customer sales or where rewards paid to participants are contingent upon sales. Staff adds a wholly new section to the Guidance seeking to repudiate the standard of whether a pyramid scheme is inherently based on rewards “primarily” unrelated to retail sales – a standard set forth both in longstanding case law and the FTC’s since renounced 2004 advisory opinion letter. Instead, Staff explains its current view that, where a compensation plan requires a certain level of downline participants for eligibility for rewards, even where a sale is required to trigger compensation, “[p]articipants will be incentivized to focus on recruitment to build a large downline, with the hope that someone in their downline will sell or buy products.”
• Prohibiting compensation plans “focused” on recruitment. Instead of evaluating whether a plan is primarily based on retail sales or rewards unrelated to retail sales, the Guidance suggests that FTC Staff will consider whether “the structure as a whole operates in practice” to “focus on recruiting rather than product sales to real customers who don’t also participate in the MLM network,” including based on “marketing representations,” “participant experiences,” “the compensation plan,” and the “incentives that the compensation structure creates for participants.” The Guidance does not dispute that legitimate direct selling companies can and must recruit participants to sell products, but suggests that any structure that over-emphasizes recruitment – either facially or in practice – may constitute a pyramid scheme. Similar arguments were advanced and rejected by the court in Neora.
• Personal consumption questioned. Courts have long accepted that MLM participants may purchase products to meet genuine demand for personal consumption and that such purchases within reasonable limits must be considered legitimate retail sales. The Guidance again casts doubt on the willingness of Staff to credit this consumption and demand, by listing potential scenarios that the FTC considers problematic, such as purchases used to meet thresholds to earn or maintain a level of compensation or rank, or purchases encouraged by a participant’s upline.
• Preferred customer purchases. The Guidance newly questions the validity of purchases by “preferred customers”—customers who have not registered as participants in the MLM opportunity—as potentially problematic if purchases “may be incentivized by the compensation plan.” The Guidance does not elaborate on what incentives would be permissible or prohibited for preferred customers.

Restricting Earnings Claims

• Atypical earnings claims. The Guidance strongly discourages claims of atypical earnings, stating that a “claim should reflect what the typical person to whom the representation is directed is likely to achieve” and emphasizing that even truthful testimonials from participants earning atypical amounts of money will likely generate a deceptive impression and must “at a minimum” be accompanied by “a clear, prominent, and unavoidable presentation of the typical participant’s revenue and expenses—all of which must be substantiated.” What’s more, Staff sets a remarkably low threshold for the types of claims that are likely to be considered deceptive. Whereas the 2018 Guidance discussed “expensive” houses and “luxury” automobiles, the updated Guidance now calls out claims about “modest or supplemental income” or that income from an MLM compensation funded gas or grocery purchases as potentially deceptive where the typical participant may not obtain that level of net income or without consumer perception evidence regarding how consumers interpret “modest or supplemental income.”
• Factoring in expenses. Without citing authority, Staff repeatedly assert that, to make any earnings claim, an MLM must first know the typical expenses of participants—not just to the company, but all expenses associated with pursuing the opportunity (travel, training, etc.)—and that any earnings claim must be based on these expenses being deducted from income. According to the Guidance, if a company “does not have access to data showing what participants typically spend pursuing the business opportunity (e.g., product or service purchases, website fees, party costs, and training or conference expenses), they should refrain from making any earnings claims.” In this regard, the Guidance seems to assume that reasonable consumers would assume that earnings claims would always be net of expenses, even though most earnings figures for occupations are not and even though many direct selling companies expressly disclose this fact.
• Income disclosure statements. The Guidance memorializes views expressed in Staff’s letter to the DSSRC in March which takes issue with the independent body’s issued guidance on income disclosure statements (covered here). Notably, the revised Guidance not only details Staff’s views on how income levels are determined such that expenses must be included, it also addresses who ought to be included in that calculation. Staff takes issue with disclosure statements excluding participants deemed “inactive” or who did not earn compensation, reasoning that such participants may have unsuccessfully tried to pursue the opportunity and that participants should not be omitted from earning statistics without evidence that they “affirmatively opted out of the income-earning opportunity, not merely failed to qualify for it or not merely exercised any inventory buy-back program.”

Agency Liability for Third-Party Claims

Despite the Commission’s Endorsement Guide acknowledging that it is “unrealistic” to expect a company to be aware of every statement made by a member of its network, Staff throughout the Guidance repeatedly notes that an MLM may be liable for the claims made by its participants and includes an entire section on this agency theory of liability and states there is “no safe harbor” for agency liability under existing law. Staff does, however, provide examples of potential actions to improve the effectiveness of compliance measures, including training, obtaining access to platforms used by participants (such as social media), and meaningful discipline for violations.

***

As we have discussed, Commission guidance does not have the force of law, although it does offer important insight into how current Staff intends to apply the law. To its credit, FTC Staff characterize the document as “non-binding guidance to assist multi-level marketers in applying those core principles to their business practices.” Elsewhere on the FTC’s website, Staff explains that guidance documents are “intended only to provide clarity to the public regarding existing legal requirements or agency policies.”

While this acknowledgment may offer some respite, the Guidance itself seems unlikely to advance its objective to “provide clarity,” except perhaps to emphasize that Staff is willing to selectively interpret precedent in a way that supports its long-held skepticism of the industry.

Notably, the first case alleges COPPA violations (compromising the privacy and safety of users under 13) but adds allegations that Epic violated teens’ privacy and safety, too. And the second case alleges unauthorized in-app purchases – not just by kids, which was the focus of earlier FTC cases, but by users of all ages. Both cases rely on unfairness theories in extending their reach. Both incorporate the (now ever-present) concept of dark patterns (generally defined as practices that subvert or impair user choice). And both got a 4-0 Commission vote, with a strong concurrence from Republican Commissioner Wilson explaining her support for the FTC’s use of unfairness here. Neither case names any individuals.

The privacy case

The FTC’s privacy case alleges that, for over two years following Fortnite’s launch in 2017, Epic allowed kids to register with no parental involvement, and for kids and teens to play the game with features enabling them to communicate in real time with anyone on the platform. According to the FTC, these practices subjected kids and teens to bullying, harassment, threats, and “toxic” content, including “predators blackmailing extorting, or coercing children and teens…into sharing explicit image or meeting offline for sexual activity.” Further, says the FTC, Epic knew about these problems, resisted fixing them and, when it finally took action, added controls that were hard to find and use, and failed to cure the violations.

The complaint includes two counts. First, it alleges that that EPIC violated COPPA because it operated a website directed to children (based on e.g., visual content and features, merchandising tie-ins, and audience composition); knew specific users were kids (based on player requests, reports, and complaints): and failed to comply with COPPA’s notice, consent, access, and deletion requirements.

Second, the FTC alleges that EPIC engaged in an unfair practice by operating a “ubiquitous, freely available” video game that was directed at children and teens and that, through default settings allowing real time social interaction, put children and teens at risk of substantial injury.

Under the order, Epic must (1) fully comply with COPPA; (2) delete data collected in violation of COPPA; (3) provide default settings that prevent interaction between minors and other users, unless Epic obtains affirmative express consent from parents or teens or, alternatively, the user identifies as 13 or older through a neutral age gate; (4) implement a privacy program with third party assessments for 20 years; (5) submit annual certifications from Epic’s chief executive (for not just Epic, but certain affiliated companies); and (6) pay $275 million in civil penalties. The order’s definition of “affirmative express consent” prohibits the use of dark patterns.

What’s new or notable here? For one thing, the case provides further insight into how the FTC analyzes the “directed to children” element of COPPA (and to a lesser extent, “actual knowledge”), with detailed discussion of the factors it considered in the analysis. For another, the penalty is the largest ever obtained in a COPPA case and, according to the FTC, in any FTC rule violation matter. Of perhaps greatest significance, though, is FTC’s decision to address teen privacy in this case. Indeed, amidst all of the public discussion and concern about teen privacy (and on the same day Congress declined to include kid/teen privacy legislation in the end-of year omnibus package), the FTC announced a teen privacy case based on its existing FTC Act authority, with a 4-0 vote.

The dark patterns case

The FTC’s second settlement with Epic, framed in the press release as an “illegal dark patterns case,” is strikingly similar to the FTC’s earlier cases against Apple, Google, and Amazon involving unauthorized in-app charges by kids, but with some new elements. (In a prior post, we said that those three cases were essentially dark patterns cases but without the “catchy term.” I guess we were prescient!)

In brief, the complaint here alleges that Epic charged accountholders for purchases that weren’t authorized – either because accountholders weren’t told about, and didn’t authorize, their kids’ purchases, or because they themselves incurred unwanted charges due to poor disclosures and a deliberately confusing purchase flow.

At the same time, the complaint alleges, Epic designed the process for canceling purchases and seeking refunds to be difficult and cumbersome, and even deactivated user accounts (removing allof the user’s content) when users attempted to dispute unauthorized charges. According to the FTC, users incurred billions of dollars in unwanted charges. Further, despite receiving thousands of complaints and acknowledging the issues in internal emails (and even after the FTC took action against Apple, Google, and Amazon for similar practices), Epic failed to correct the problem.

The complaint contains two counts. First, it alleges that Epic engaged in unfair billing practices by charging users for in-app purchases without express informed consent from the accountholder. Second, it alleges that Epic unfairly denied consumers access to their accounts after they disputed unauthorized charges.

The order, in turn: (1) prohibits charging any user without express informed consent; (2) in the case of consent for continuing charges, requires that consumers be able to revoke consent at any time, using a mechanism that isn’t difficult, costly, confusing, or time-consuming, and is as simple as the mechanism used to initiate the charges; (3) enjoins Epic from denying someone access to their account “for reasons that include” disputing a charge; and (4) obtains $245 million in refunds.

What’s new or notable in this case? First, as already mentioned, the case extends, not just to obviously-unauthorized in-app purchases by kids, but also to purchases by older users. Second, the FTC is once again focusing on ease of cancellation (see our post on the FTC’s Vonage settlement), requiring that cancelling recurring charges be just as simple and frictionless as signing up. Third, the FTC appears to be saying that deactivating accounts following the dispute of charges is per se illegal (and, due to the broad wording of the injunction, that companies can never cancel an account for this or any other reason).

Finally, this is an example of the FTC’s continuing ability to obtain consumer redress post AMG. In a case like this, where no rule violations have been alleged, the FTC would normally be forced to pursue redress using a two-step process – an administrative action, followed by a federal district court action. Here, Epic has simply agreed to pay redress in one step.

Why two cases and not one?

Some readers might be wondering why the FTC split this matter into two cases. Under the FTC Act, the agency must refer any civil penalty case (here, the COPPA/privacy case) to the Department of Justice for filing in federal district court. By contrast, as discussed above, the FTC must initiate an administrative action to obtain redress in non-rule matters (here, the dark patterns case). While there may be some theory for consolidating both cases into one DOJ action, that would be exceedingly complicated – even more so than the shortcut the parties agreed to here. These cases were also handled by two different FTC divisions, which also may have weighed in favor of bifurcation.

* * *

One last thing – as if the cases themselves weren’t enough to digest, it’s worth taking a look at Epic’s post on the topic, explaining that the laws haven’t kept pace with technological developments but fully embracing the principles and requirements laid down in the settlements.

The panelists started with the basics by explaining that a multistate is simply two or more states voluntarily working together on a matter of common interest with the main benefits of participating being to share resources and expertise. This creates the ability to take action that an individual state might otherwise not be able to do. An important point made multiple times throughout the session was that each state is a sovereign tasked with doing what is best for their respective jurisdictions, and each sovereign can leave a multistate at any time. The panelists provided some history of multistates, including the Standard Oil matter from the early 1900’s, and mentioned one of the first consumer protection multistates from the late 1970’s regarding General Motors.

While multistates can have many positives from both the state and business side, they often have the negative attribute of being very slow, which the panelists explained can be caused by different factors including lengthy confidentiality agreement negotiations, and disagreements not only between the states and the business, but also among the states themselves. Other factors they identified include differences in state laws, time necessary to review what is often a large amount of documents, other related actions such as by local jurisdictions affecting the state matter, and finally, perceived delay tactics sometimes used by defense counsel. In regard to remedies sought by the states, the importance of consumer restitution was highlighted, including the historical recovery of restitution in matters. The panel also discussed reasons why consumer restitution may not be sought in a state matter, including when consumers were already made whole through a federal or private action.

In regard to NAAG, the panel expanded on the organization’s role in consumer protection multistates. They noted that in the media information about the organization often seems to be conflated with activities of NAAG’s members. In regard to consumer protection multistates, panelists explained that NAAG serves in an administrative capacity only, and has no decision-making authority regarding who is the subject of an investigation or how an investigation should be pursued or resolved. Discussion also ensued about grants available to attorney general offices for consumer protection matters and who controls those grant funds. Per the panelists, NAAG staff only serves in an administrative role while bipartisan groups of attorneys general review and determine who receives grant funds. Tom Miller, Iowa Attorney General and the outgoing NAAG President, made this same point during the Forum, citing a great amount of misinformation about the grant funds and false statements about how grant approval voting has become partisan.

In addition to correcting misinformation, NAAG members are looking hard into how it is organized with many calling for change to the association in the past year. One major change that was implemented during the Capital Forum was in relation to the succession of the NAAG Presidency. Prior to the change, the succession was based on a regional structure, as regional representation took precedence when the former rules were put into place. This created a string of presidents from the same political party, including three Republicans in a row from 2017 to 2020 and two Democrats in a row from 2021 to 2022, with Attorney General Josh Stein of North Carolina slated to be the third in the Democrat string. Attorney General Stein agreed to bypass his presidential year however, jumping from President-elect to immediate Past-president (and allowing him to joke that he now holds the record for the shortest term of NAAG president in history). Now, the presidency will alternate political parties each year, with Ohio Republican Attorney General Dave Yost receiving the gavel pass at the Forum, and now serving as NAAG President. Each president chooses an initiative, and Attorney General Yost announced his will focus on the military and veterans.

Outgoing NAAG President Miller reflected at the Forum on his efforts to bring people together and create balanced programming, which was noticeable at this Forum with sometimes heated discussions on panels covering controversial topics such as ESG. Attorney General Miller is the longest serving attorney general in history, with forty years of service under his belt, and was labeled by many throughout the Forum and throughout his career as a true statesman. James McPherson, former NAAG Executive Director, former U.S. Under Secretary of the Navy, and a retired U.S. Navy Admiral thanked General Miller for his years of service and then moved his keynote focus to the current status of NAAG.

Per Admiral McPherson, NAAG is facing a challenge, with some members having withdrawn from NAAG. He stated that he will not judge the merits of the reasons members have withdrawn, but noted that perception is reality, and that efforts to bring back members who left must address the perceptions they based their leaving on. In regard to competing organizations, he noted that each has unique and valuable opportunities, and that it is not a zero sum game, with each organization able to do things that the others do not. Admiral McPherson emphasized to the attorneys general that NAAG is there to help them serve their constituencies, meet their goals, and ensure the rule of law.

While it remains to be seen whether these messages and reforms will be enough to reunite the states, we anticipate that 2023 will see continued efforts from NAAG to implement further reforms to create a more balanced organization. Also important will be how AGs continue to evaluate the multistate process in response to public criticisms, and whether such criticism will lead to more individual state investigations and suits. As the enforcement community continues to define terms like “dark patterns” and identify proper data security practices, fractures among the states can have the negative effect of creating multiple, competing definitions with uncertainty for those trying to comply. We will continue to monitor these developments throughout 2023.

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor their workforces. Mounting regulations attempt to curb employers’ ability to gather and utilize employee data—from its historical use in processing employee benefits and leave requests to employers’ collection, use or retention of employees’ biometric data to ensure the security of the organization’s financial or other sensitive information systems. Learn what employers can do now to protect employee data and prepare for the growing wave of data privacy laws impacting the collection and use of employee personal data.

RSVP

Avoiding Price Gouging Claims Wednesday, August 3 Recently State Attorneys General, the House Judiciary Committee, and many others have weighed in on rising prices in an attempt to weed out price gouging and other forms of what they deem “corporate profiteering.” States and federal regulators are carefully looking at pricing as consumers and constituents become more sensitive to the latest changes and price gouging enforcement is an avenue states may be able to use to appease the public. Unlike other emergencies in the past, the current state of supply chain and labor shortages, along with skyrocketing costs for businesses, make it unrealistic for companies to simply put a freeze on any price increases. This webinar will cover:

• The basics of price gouging laws and related state emergency declarations and how to comply • The differences and varied complexities in state laws • General best practice tips • How AGs prioritize enforcement

Register

* * * *

Find more upcoming sessions, links to replays and more here

Chopra was confirmed last week as CFPB Director and the announcement is likely to be one of his last acts as FTC Commissioner before he departs for the CFPB on Friday. Levine was formally named Director of the Bureau of Consumer Protection last week by Chair Lina Khan, following his stint as Acting Director. In prepared remarks announcing the notices, Chopra characterized the Penalty Offense Authority as “a unique authority in consumer protection enforcement . . . that past Commissioners largely ignored, depriving our hardworking staff of the ability to pursue the full range of sanctions against bad actors.” Chopra emphasized that its use was particularly important in the wake of the Supreme Court’s decision in AMG Capital Management. The move also follows last month’s cease and desist letters issued to companies making diabetes treatment claims, which were structured to include references to the FTC’s Penalty Offense Authority.

In yesterday’s notice, the FTC identifies seven categories of claims made by for-profit colleges that the FTC has determined to be deceptive or unfair, including misrepresentations about the need or demand for consumers who have graduated from the institution, employment prospects, the number or percentage of graduates who have obtained employment, and typical or potential earnings for graduates. The notice includes cites to three dated decisions from 1980, 1971, and 1952 as support for use of the Penalty Offense Authority. The Penalty Offense Authority requires the Commission to have determined in a litigated administrative decision under Section 5(b) that a specific act or practice is unfair or deceptive, issue a final cease and desist order regarding that practice, and provide notice to an entity such that they have “actual knowledge” that the act is prohibited.

While it is clear that the FTC intends to aggressively use its Penalty Offense Authority, there are many unanswered questions about that use:

• Are precedents from 40 or more years ago sufficiently similar to serve as a predicate offense? Legislative history to the Penalty Offense Authority makes clear that Congress intended use of the authority to be limited. Does the FTC’s reliance on dated decisions involving different facts align with the provisions of the FTC Act, congressional intent, and due process standards? Notably, the Commission itself never even issued a determination that any act or practice was unfair or deceptive in MacMillan, one of three cases relied upon in yesterday’s notice. Instead, the Commission allowed an initial unappealed decision by the ALJ to become final. Particularly in the wake of AMG and courts taking a closer look at actual FTC authority, it seems unlikely that MacMillan qualifies under Section 5(b)’s requirement for the Commission to “make a report in writing in which it shall state its findings as to the facts.”
• Are the facts and legal standards sufficiently similar? A lot has changed in the 40-60 years from the decisions cited in the notice letters. While the limits of the Penalty Offense Authority have not been extensively tested, at least one court has rebuked the FTC’s attempted use of the authority where the facts in the underlying decision were not sufficiently similar to the new conduct.
• Who’s next? For-profit colleges were just one of a number of targets identified in Chopra’s and Levine’s paper. Other industries ripe for use of the Penalty Offense Authority according to the paper include direct sellers and others in the gig economy making earnings claims, deceptive online reviews and influencer campaigns, deceptive data harvesting and privacy misrepresentations, and targeted advertising that allegedly runs afoul of the Fair Credit Reporting Act. Income claims seems like the most likely next target, particularly given the Commission’s forthcoming review of the FTC’s Business Opportunity Rule.

With an unprecedented attack on policies the Federal Trade Commission had long embraced, the new majority of Democratic Commissioners revealed a bold enforcement agenda that would circumvent Supreme Court decisions and avoid Congressional limits.

It was a meeting like none the Federal Trade Commission has ever held. On one week’s notice, the Commission adopted new rules to impose civil penalties on substandard Made-in-USA claims, removed judges and safeguards from rulemaking proceedings, rescinded its 2015 enforcement policy statement on unfair methods of competition, and granted staff more authority to issue subpoenas and civil investigative demands. The vote on every issue followed party lines. Republican Commissioners, Noah Phillips and Christine Wilson, voted against all, and the Democratic Commissioners, Chopra, Khan, and Slaughter, rejected all amendments. Chair Khan announced that public meetings will become regular events at the FTC.

Made in USA Claims

Commissioner Chopra took the lead on the Made-in-USA (MUSA) rule, which would impose civil penalties on claims that do not meet FTC standards for domestic content, whether those claims appear on labels or in marketing. He criticized the Commission for years of allegedly allowing deceptive claims to persist and wrongdoers to escape fines. Imposing fines, he said, was one way of recovering the power the Commission was denied in the Supreme Court’s decision in AMG Capital Management v. FTC, which held that Section 13(b) of FTC Act did not authorize the Commission to obtain monetary relief.

Phillips opposed the rule, saying that Congress had not given FTC the authority to cover off-label claims; it had authorized MUSA rules only for product labels. Unless and until Congress granted authority for expedited rulemaking on advertising claims, which Congress is now considering, he insisted that the FTC was bound to use the more restrictive Magnusson-Moss procedures. Wilson objected to the short notice announcing the meeting, objected to the exclusion of staff from the meeting, and warned that it was unwise to disregard a unanimous Supreme Court that had just admonished the Commission for exceeding its authority to obtain money in consumer protection cases.

Expediting Rulemaking

Foreshadowing an ambitious regulatory agenda was a motion to streamline new rules under Section 18 of the FTC Act. The motion would remove the chief administrative law judge from the role of presiding officer in rulemakings. The FTC Chair would preside. The motion also proposed eliminating the requirement of a staff report to accompany a rule recommendation. Slaughter said these were unnecessary “self-imposed” limits. Chopra praised the proposal for helping end the era of “perceived powerlessness” at the FTC

Phillips and Wilson objected, citing concerns that removing the judge would threaten the independence of the rulemaking process – an extensive fact-finding exercise – and lend support to challengers who claim that FTC rules are politically motivated. As for staff reports, Phillips remarked that these gave the Commissioners and the public some confidence that a rule would not inflict unnecessary harm on the economy. Wilson reminded her colleagues that zealous rulemaking in the 1970s precipitated an existential crisis for the agency. It closed its doors after public resistance and widespread ridicule prompted Congress to defund the FTC. Not until the Commission promised a return to responsible enforcement was it allowed to reopen. The FTC delivered on that promise with a series of policy statements clarifying unfair acts and practices, illegal deception, and necessary substantiation for advertising claims.

Wilson proposed posting the procedural changes for comment. It failed 3-2. Phillips proposed retaining the chief judge and the staff report. It also failed to attract a Democratic vote. Rulemakings without a judge and without a staff report passed without a Republican vote.

Rescinding the Competition Policy Statement

In a sweeping departure from a bipartisan antitrust policy, the Commission rescinded its 2015 Policy Statement on Unfair Competition. Khan argued that the FTC should not have to show a likelihood of harm to competition in order to declare conduct unfair. In her view, the FTC Act was intended to circumvent the Supreme Court’s adoption of the Rule of Reason in antitrust cases – a requirement that condemned restraints of trade only when their anticompetitive effects outweighed the procompetitive benefits. The Rule of Reason made it too hard to prove violations, said Khan, and the FTC’s policy statement improperly confined the agency to an enforcement policy indistinguishable from the standards that DOJ applied.

Wilson regarded the rescission as an abandonment of the consumer welfare standard, the framework of antitrust analysis for half a century. She expressed fears that if competition policy were not designed to benefit consumers, it could be coopted by special interests. She added that when the FTC had failed to apply a standard consistent with the antitrust laws in the past, its decisions had often been reversed on appeal. (The FTC lost a string of appeals in the 1980s when it attempted to prohibit refusals to deal, price discrimination that might be competitive, supplier-distributor pricing policies, and practices that could facilitate collusion.) Phillips noted that the Supreme Court’s decision in NCAA had just applied the Rule of Reason in holding for plaintiffs, so it was hardly a bar to successful prosecution. Of concern to the Republicans was a proposal in Congress that would eliminate the FTC’s competition authority altogether.

Proposals to seek comment on the rescission were voted down on party lines. Competition policy at the FTC will depend on future Commission actions.

Targeting Sectors and Suspects

Finally the FTC identified seven areas in which it would adopt omnibus resolutions authorizing compulsory process – civil investigative demands and subpoenas enforceable in court. The Commission typically authorizes compulsory process when it identifies specific companies or conduct – like a merger or a deceptive practice – warranting intensive and urgent investigation. These resolutions covered broad sectors of the economy and authorized investigations under practices any law the FTC enforces. As explained in its press release, the Commission’s crosshairs are focused on these sectors and individuals:

Priority targets include repeat offenders; technology companies and digital platforms; and healthcare businesses such as pharmaceutical companies, pharmacy benefits managers, and hospitals. The agency is also prioritizing investigations into harms against workers and small businesses, along with harms related to the COVID-19 pandemic. Finally, at a time when merger filings are surging, the agency is ramping up enforcement against illegal mergers, both proposed and consummated.

With these resolutions, the FTC delegated the decision to issue compulsory process to the staff and a single commissioner. In the past, an investigation into a new area could not use compulsory process until the commission voted on the resolution. These omnibus resolutions dispensed with that procedure. Khan hailed the move as cutting “red tape bureaucracy.” Wilson countered that the Commissioners were abrogating their sworn responsibilities of supervision. This last comment reveals the import of the change. If Chopra departs to the Consumer Financial Protection Bureau, which he has been nominated to direct, the Democrats will lose their majority. These resolutions will allow staff to open investigations, demand documents, and conduct depositions without the approval of the Commission. All the staff will need is the approval of a commissioner.

The Future of FTC Enforcement

In short, July 1, 2021 was an extraordinary day in the history of the FTC. It is an unmistakable harbinger of a Commission that is aiming to ramp up enforcement beyond the levels it sought to achieve in the 1970s. None of the supporters of the agenda had answers to the dissenters’ repeated questions: How will the agency overcome the obstacles that stymied its unbridled ambitions in the past? How will it respond to the resistance it will face from Congress, the courts, and the public it is supposed to serve? The public at this meeting, Phillips noted, was scheduled to comment after the Commission had made its decisions, so that their testimony would not be taken into account before the votes.

How far the Commission can take this agenda will be difficult to predict until the inevitable allegations of unauthorized investigations, arbitrary and capricious rules, unpredictable decisions, and deprivations of due process make their way to higher authorities. Safer predictions: We will see the fruits of yesterday’s decisions in the form of CIDs, subpoenas, proposed rules, and new interpretations of a century-old competition statute. Businesses and citizens will face the first engagement. Then Congress and the courts will join the fray. For a preview of potential outcomes, there is no better place to start than the rich literature of FTC history.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

As we discussed in detail here, FTC Commissioner Rohit Chopra and his then attorney advisor Levine last year released a paper advocating for the Commission to resurrect the Penalty Offense Authority, which authorizes civil penalties where the following three conditions are met:

• a final cease and desist order has been entered against a party in an administrative proceeding under Section 5(b) of the FTC Act;
• there is a Commission determination that a specific practice is unfair or deceptive, as part of that order; and
• a party with actual knowledge that the practice is unfair or deceptive has engaged in that practice after the order became final.

Undeterred by this limitation, the TINA.org letter also provides a list of 660 direct selling companies with contact information “to assist the FTC in providing notice.” The organization’s efforts are the latest in a series of efforts that explore how the FTC can obtain money through enforcement in novel ways in the wake of the Supreme Court’s unanimous AMG Capital Management decision. For example, two weeks ago, the FTC filed an amended complaint against RCG Advances seeking civil penalties under the Gramm-Leach-Bliley Act under a new legal theory. Before that, the FTC brought an action against MoviePass seeking civil penalties under the Restore Online Shoppers’ Confidence Act (ROSCA), again under a novel theory of statutory interpretation.

The Commission has also signaled that it may seek to amend the Business Opportunity Role to cover direct sellers and others in the “gig economy.” The takeaway here is clear: even as the battle in Congress to pass legislation continues, the FTC and others are continuing to consider other methods to obtain money through enforcement.

The four new actions are against the following companies.

• Moda Latina, which allegedly targeted Latina consumers by deceptively claiming that consumers could “have your own business and earn up to a thousand dollars per week” and “earn a lot of money” and “large profits.” According to the complaint, the company typically charged between $199 and $299 for enrollment and a start-up kit with allegedly authentic products such as gold jewelry, brand-name perfumes, makeup and other beauty and luxury fashion products. The complaint alleges that the start-up kit often failed to include re-saleable goods and that the company had “no adequate basis for making earnings claims in connection with the marketing, selling, and advertising of Moda Latina.” The FTC asserted that 89% of consumers who place an initial order never place a second order as evidence of deception.
• Digital Income System, which allegedly sold a business opportunity scheme of selling memberships at various price points from $1,000 (Entrepreneur) to $25,000 (Executive). By purchasing a membership, consumers had the capacity to sell memberships to others and “earn a commission of up to 50% of his or her own membership level.” The complaint alleges multiple violations of the FTC Act and the Business Opportunity Rule, which applies to certain contracts where a seller solicits a prospective purchaser with opportunities to sell goods or services through specified arrangements.
• RagingBull.com, LLC f/k/a Lighthouse Media LLC, a company selling online services related to stock and options trading. According to the complaint, the company promoted courses from “self-made millionaires” with “simple-to-follow strategies for beating the market” and emphasized the alleged success of its founders and individually named defendants. The complaint identifies both general income claims (“Don’t Just Beat the Market…Crush It”) and more specific claims and testimonials touting earnings of “$6,500 in 20 minutes,” or “$500 in 15 minutes.”
• Randon Morris and his network of companies that sold storefront websites promoted to yield thousands of dollars in monthly income. According to the FTC, the companies played on consumer fears about the COVID-19 pandemic with robocalls in violation of the Telemarketing Sales Rule. The complaint further alleges that the companies deceptively advertised a relationship with Amazon and falsely suggested that consumers would receive commissions from Amazon purchases.

As a way to further promote compliance of the direct sales industry, the Direct Selling Association (DSA) is offering a three-part certification program beginning next month called the Direct Selling Compliance Professional Certification Program (DSCP-CP). The program is a great way for companies and individuals to learn more about compliance and risk mitigation strategies in the direct selling space, including related to income and business opportunity claims. More information about the DSCP certification program is available on DSA’s website here.

COVID-19 has brought a proliferation of products claiming to kill or otherwise inhibit viruses, bacteria and other germs. These products, before they can be legally sold, are heavily regulated by the U.S. Environmental Protection Agency (EPA), Food and Drug Administration (FDA), and sometimes both. Major enforcement actions are pending against companies making illegal claims or selling unregistered products. Meanwhile, the FTC regulates advertising of many sanitizing products and the agency has pursued enforcement on companies that overstate their products’ germ-killing performance.

Please join us for a webinar covering the basics of germ killing and related product claims.

Discussion topics include:

• The regulatory landscape: Who regulates what – EPA, FDA and FTC jurisdiction and requirements
• What can you say and when can you say it
• Potential liability and enforcement considerations
• What to do if you receive a warning letter or other enforcement action

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

DFS alleges these actions (or lack thereof) violated the following six requirements of the Cybersecurity Regulation:

1. Cybersecurity Program – The requirement to maintain a cybersecurity program that is designed to protect the confidentiality, integrity, and availability of information systems and to perform core cybersecurity functions, and that is based on a risk assessment.
2. Data Governance – The requirement to maintain and implement data governance and classification policies suitable to the business model and associated risks.
3. Access Privileges – The requirement to limit and periodically review user access privileges.
4. Risk Assessment – The requirement to conduct a periodic risk assessment that is sufficient to inform the design of the cybersecurity program.
5. Training – The requirement to provide regular cybersecurity awareness training for all personnel, and to update such training to reflect the risks identified in the risk assessment.
6. Controls – The requirement to implement controls, including encryption, to protect NPI held or transmitted.

Summer associate Katrina Hatahet contributed to this post. Ms. Hatahet is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Watch the replay here.

Watch the replay here.

Six of the letters address both health and earnings claims, three address just earnings claims, and one addresses just health claims. Examples of allegedly deceptive health claims cited in the letters include:

• “Got the coronavirus heebeegeebees? Boost your immunity with this amazing deal!!!!”
• “… If interested to learn more or obtain oils or rollers Let me know A little extra protection can help #doterra #NursesCOVID19 #Dialysis #ImmunityBoosters #ImproveRespiratoryFunction”

Examples of allegedly deceptive earnings claims cited in the letters include:

• “Need to make extra money? Find it difficult to pay your bills? Were you laid off/ #fired? Be your own Boss w/doTERRA essential oils. Msg me to achieve financial independence #laidoff #unemployed #cantpaymybills #cantpaymyrent #student #sales #sidehustle #makemoney #stayathomemom.”
• “[E]veryone’s getting stimulus checks right now… There is no better investment you could do… Take that money that you’re about to get back… figure out a way to make this happen tonight.”

As a matter of longtime FTC precedent, the answer should be no, and the warning letters don’t go this far. But, the letters do underscore that the FTC is watching closely for any reference to COVID-19 or the pandemic, and MLMs and their participants should take note.

The Warning Letters

The agencies identified the three VoIP gateway providers as the sources of the illegal calls through the efforts of the USTelecom Industry Traceback Group, a consortium of phone companies that help officials identify potentially unlawful calls. The phone companies used a process known as “traceback,” in which they share information to trace unlawful spoofed robocalls to their origination.

In the letters, the agencies reminded the companies that the COVID-19 scam robocalls are in fact illegal and directed them to cease transmitting the traffic immediately, as the calls have “the potential to inflict severe harm on consumers.” The letters warned the companies that if they did not stop transmitting the identified traffic within 48 hours, the FCC would authorize other U.S. voice providers to block all calls from the companies and take any other steps necessary to prevent transmission of the calls. The agencies also sent a separate letter to USTelecom advising the trade association that, if the VoIP providers do not block the traffic, the FCC will authorize other U.S. service providers to block all calls coming from that gateway and will take other actions as necessary to authorize U.S. service providers to block traffic from the originating entities. In addition, the FCC encouraged other service providers to take immediate action to block unlawful calls pursuant to existing legal authority.

This action is a significant – and significantly aggressive – new approach by the agencies. While both agencies have taken actions to prevent and deter unlawful robocalls, the threat to block traffic from the originating carrier is a new tactic in the fight against unlawful calls. Notably, it is not clear under what authority the FCC can or would order the blocking of all traffic from the subject VoIP gateway providers if they failed to block the allegedly unlawful robocalls. The letter does not cite any provision of the Communications Act that would authorize such blocking. Moreover, existing FCC orders relating to call blocking have authorized only limited call blocking practices that were optional for the carriers. Were the FCC to order such blocking (and to make it mandatory), it appears that such action would be the first of its kind by the agency.

Briefly, we will review the agencies’ recent history with anti-robocall activities.

The Educare Services Enforcement Action and Prior FTC Warning Letters

In the three letters to the VoIP gateway providers, the FCC and FTC reference the FTC’s recent enforcement action against VoIP provider Globex Telecom. This action relied upon provisions of the FTC’s Telemarketing Sales Rule (“TSR”), which addresses calls made for a telemarketing purpose. In December 2019, the FTC obtained a preliminary injunction against Educare Services and Globex Telecom Inc. for robocalling consumers to promote allegedly fraudulent credit card interest rate reduction services. The FTC complaint alleges that Globex played a key role in “assisting and facilitating” the illegal credit card interest rate reduction services Educare promoted by providing Educare with the means to call consumers via interconnected VoIP communication services and facilities. For a VoIP company to be liable under a TSR “assisting and facilitating” theory, the FTC must prove that the company “knew or consciously avoided knowing” the robocall campaigns violated the TSR.

A week before the joint letters, the FTC sent letters to nine VoIP service providers and other companies warning them that “assisting and facilitating” in the transmission of illegal COVID-19-related telemarketing or robocalls is unlawful. The agency also sent letters to nineteen VoIP service providers in January with a similar warning about all illegal robocalls.

FCC TRACED Act Implementation and the STIR/SHAKEN Mandate

Like the FTC, the FCC recently shifted its focus in robocall enforcement towards the originating carriers. On February 4, 2020, the FCC’s Enforcement Bureau sent letters to seven VoIP gateway service providers, notifying them that unlawful robocalls had been traced to their networks and asking for their assistance in tracking down the originators of the calls. Although no enforcement action was threatened at the time, the FCC also asked each provider to detail their anti-robocall efforts to the Commission.

More recently, the FCC took several steps in implementing the TRACED Act, which requires the FCC to initiate several near-term rulemakings and other actions aimed at addressing unlawful spoofing and robocalling operations. On March 27, the agency adopted a Report and Order and Further Notice of Proposed Rulemaking establishing rules for the registration of a single consortium to conduct private-led “traceback” efforts, which is expected to formalize the relationship with the USTelecom Industry Traceback Group. Additionally, on March 31, the FCC adopted a separate Report and Order and Further Notice of Proposed Rulemaking mandating that originating and terminating voice service providers implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. STIR/SHAKEN—the technology framework behind the “traceback” process—allows providers to verify that the caller ID information transmitted with a particular call matches the caller’s number as the calls are passed from carrier to carrier. FCC Chairman Pai previously urged major providers to adopt STIR/SHAKEN technology voluntarily and warned that the voluntary approach would become a mandate if the providers did not move fast enough. Still to come are comments on a “know your customer” obligation for service providers and rules to deny access to numbering resources to originators of unlawful calls.

As we have previously noted, the TRACED Act also requires the implementation of an alternative call authentication framework in non-IP networks, extends the FCC’s statute of limitations for bringing some illegal robocall enforcement actions, and eliminates the requirement to give warnings before issuing certain filings.

Takeaways

These letters, coupled with the recent activity by the FTC and FCC to combat illegal robocalls, signal the agencies’ desire to cause a meaningful reduction in unlawful calling, and in particular, demonstrate a desire to prevent scammers from taking advantage of the COVID-19 crisis to carry out their deceptions. Both agencies can seek civil penalties and take other actions necessary to prevent the proliferation of these calls.

Importantly, the targets of agency action are not necessarily limited to the entities that place the unlawful calls. These federal actions are a good reminder for VoIP and other service providers to assess whether their customers’ practices may indicate unlawful use of VoIP or other services. With the warning letters, and now these blocking letters, the FCC and FTC increasingly are showing an openness to pursuing penalties under vicarious liability theories. If there are facts that support knowledge of the unlawful activity or “red flag” type practices (such as a customer being the target of multiple third party government subpoenas, among other facts), that’s a good indication that further steps by the VoIP provider may be warranted to mitigate the risk of facing an enforcement action by the FTC or FCC. If you have questions about how these enforcement trends and related risk factors are relevant to your business, please contact your Kelley Drye counsel.

Even if enforcement begins July 1^st, companies must contend with another glaring obstacle: the AG has not yet issued final regulations. The AG has a narrow window to complete its final regulations, leaving companies with less than three months advance notice to implement highly technical final regulations. If the AG fails to meet its statutory deadlines, the AG’s enforcement of the CCPA would begin before final regulations are issued.

In March, the AG released a third draft of CCPA regulations, with comments due on March 27^th. Now, the AG can either issue another round of proposed regulations or finalize the regulations. The third draft had far fewer changes than previous drafts, indicating the AG may be ready to finalize the regulations, although the AG has remained largely silent in explaining the reasoning behind any changes to its various drafts.

Once the AG is ready to issue final regulations, the AG will send the regulations to the Office of Administrative Law, which generally has up to 30 working days to review regulations, although an executive order linked to the COVID-19 crisis extends the Office’s deadline by 60 calendar days.

Once reviewed, the Office transmits the final rule to the Secretary of State for adoption. The effective date of the final CCPA regulations depends on the date that the Office files the regulations with the Secretary of State. For example:

• If filed March 1 – May 31: the effective date is July 1.
• If filed June 1 – August 31: the effective date is October 1.
• Another effective date may be possible if the AG demonstrates good cause.

Given this timeframe, companies seeking to comply with the new CCPA regulations should not wait for final regulations to stand up compliance processes. With enforcement slated to arrive either at the same time as or before the effective date of new regulations, covered businesses should work with privacy counsel to prepare for CCPA as soon as possible.

We will continue to follow new developments that may impact the timeframes for implementation of the CCPA regulations. If you have questions on how the regulations may impact your business, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

Representations About Shipping Dates The Mail Order Rule requires that when you advertise merchandise, you must have a reasonable basis for representations about timing for shipping. If you provide no shipping date, you must have a reasonable basis for believing that you can ship within 30 days. Particularly in these times of uncertainty, companies may choose to use a shipping date that is further out than what they would reasonably anticipate in typical circumstances.

Initial Delay Notice If you cannot ship the merchandise by the promised time frame or within 30 days, you must notify the customer and give the option to cancel the order and obtain a full and prompt refund.

If you know when you can expect to ship the merchandise, the initial delay notice must contain: (1) the revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that a customer’s non-response is a consent to the delay.

If you cannot provide a revised shipping date, the initial delay notice must contain: (1) the reason for the delay and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time before shipment.

Subsequent Delay Notices Given the current unpredictability around supply chains and distributions, companies may be unable to ship by the date included in the initial delay notice. If that occurs, prior to that date, you must send a “renewed” delay notice. Although this notice must include much of the same information as the initial delay notice, a customer must expressly consent to further delay.

A renewed delay option must include information about: (1) a revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that, unless the customer agrees to wait beyond the most recent definite revised shipment date and the company has not shipped by then, you will automatically cancel the order and issue a prompt refund.

If you cannot provide a new definite revised shipping date, the notice must include: (1) the reason for the delay; and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time until shipment.

Instead of sending a delay notification, you can cancel the order and send a refund, as long as you notify the customer and send the refund within the time you would have sent the consent notification.

Exemptions to the Rule Not all merchandise is subject to the Mail Order Rule. For example, products such as monthly gift clubs, subscription boxes, and magazine subscriptions are exempt, although because the FTC could still challenge practices allegedly unfair or deceptive, we recommend taking reasonable steps to notify consumers about shipping delays and to offer options for cancellation and perhaps a refund.

Enforcement The FTC can extract large civil penalties for violations of the Mail Order Rule: up to $43,280 per violation plus consumer redress. For example, in FTC v. DiscountMetalBrokers, Inc., a court ordered DiscountMetalBrokers to pay over $6 million for violations of the FTC Act and the Mail Order Rule. The FTC has also levied fines of over $800,000 in settlements related to alleged Mail Order Rule violations.

* * *

The Mail Order Rule imposes very specific requirements that companies should navigate carefully, COVID-19 or not. As companies face shipping and distribution disruptions, appropriate notice to customers as delays become known will avoid Mail Order Rule violations and enforcement.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

Update: Our article, Top FTC Rules and Guides You Should Keep in Mind, and other mail order rule blog posts may also be useful.

• On Monday, the President signed an executive order to prevent hoarding and price gouging of crucial medical supplies. It authorizes criminal prosecution of anyone whose purchases exceed reasonable limits. Attorney General Barr concurrently announced that the Justice Department has already launched hoarding investigations to carry out the order.

So, if you’re sitting on 17,700 bottles of hand sanitizer, it’s probably time to donate that….

• The AGs in 32 states sent a letter to online retail platforms (Amazon, eBay, Craigslist and others) urging them to do more to crack down on price gouging. The letter calls for the platforms to set policies and enforce restrictions on price gouging during emergencies, trigger these protections independent of or prior to an emergency declaration, and create and maintain a fair pricing page or portal where consumers can directly report price gouging incidents.
• In a March 17 letter, the House Energy & Commerce Committee urged the FTC to take action to protect consumers from price gouging. The Committee also says it will continue to pursue other means, including legislation, to protect consumers.

What’s the takeaway? Operators of online retail and advertising platforms should be evaluating pricing practices to ensure that they do not run afoul of the patchwork of state laws governing price gouging. Further, compare existing practices to those outlined in the AG letter and see what can be done to address these points.

• And finally, as a follow up to reports of consumers using Tito’s Vodka to make hand sanitizer, Tito’s Vodka announced this week that it will be producing 24 tons of hand sanitizer and donating it. Cheers to that. Stay well!