While the Bureau has always had enforcement authority over digital wallets and payment apps, the proposed rule would newly authorize the Bureau to “supervise” the providers, including by conducting periodic examinations, which can include on-site or remote inspections, review of company compliance policies and procedures, testing transactions and accounts, and evaluating management and recordkeeping systems. Examinations may result in supervisory letters, compliance ratings, or, if inspectors identify perceived legal violations, enforcement actions with fines and civil penalties.

The Bureau’s proposed rule – its sixth effort to supervise nonbank providers of financial services – comes as an increasing number of financial transactions occur outside the traditional banking system. “Payment systems are critical infrastructure for our economy,” Director Chopra said in a press release announcing the new rule. “These activities used to be conducted almost exclusively by supervised banks” and the proposed rule is intended to require fintech providers to “play by the same rules as banks and credit unions.”

The rule would open up supervision and inspection for “larger participants” offering “general-use digital consumer payment applications,” including digital wallets, payment apps, funds transfer apps, person-to-person (P2P) payment apps, or similar. The proposed rule notes that subject entities would be examined for compliance with federal consumer financial laws and their prohibition against unfair, deceptive, and abusive acts and practices, the privacy provisions of the Gramm-Leach-Bliley Act and Regulation P, and the Electronic Fund Transfer Act and Regulation E, amongst other laws.

The rule would only apply to companies that the CFPB defines as “larger participants” and proposes a threshold of companies that process five million transactions in a year (including affiliated companies) that are not considered a “small business concern” by the Small Business Administration. The Bureau estimates that 17 providers of general-use digital consumer payment applications would currently meet the proposed threshold and that those providers handle roughly 88% of known transactions in the nonbank market for general-use digital consumer payment applications. Notably though, those numbers are just estimates – and could be based on incomplete or inaccurate data. Either way, that number is likely to grow as fintech transactions continue to grow in popularity.

A few additional highlights on scope and key definitions:

• The proposed rule applies to larger participants providing a “covered payment functionality through a digital application for consumers’ general use in making consumer payment transactions.”
• A “covered payment functionality” is a “funds transfer functionality,” a “wallet functionality” or both. Wallet functionality is defined broadly to include any product or service that stores account or payment credentials, and that transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.
• “Digital applications” are defined as software programs run from a personal computing device, like a mobile phone, watch, or a tablet. The application should be available for “general use,” meaning it does not have significant limitations on its use for consumer payment transactions. According to the proposed rule, if the application can only be used to buy a specific category of products or services (i.e., transportation, lodging, food), it does not meet the definition of general use.
• The proposed rule defines “consumer payment transactions” to include paying another person for a “personal, family, or household purpose” and to exclude international money transfers or foreign exchange transfers, or a transaction conducted by a person for the sale of goods/services at that person’s store or marketplace.

The Bureau solicits comments on all aspects of the proposed rule, as well as specific definitions and limitations, and will accept comments until January 8.

Among the most significant of these developments is California’s SB 362 – a data broker bill that goes well beyond the registration requirements contained in California’s existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.

Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he’ll veto it. Indeed, the bill’s chief sponsor, state Senator Josh Becker, has said that, while he hasn’t reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers’ collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).

What Does SB 362 Require?

Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California’s current data broker law by providing a centralized place where consumers can delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026 or even 2028. Specifically, SB 362:

• Requires data brokers to register with the California Privacy Protection Agency (CPPA) (instead of the California AG’s office, as required by the current law), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
• Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information, subject to the same deletion and other exceptions available under CCPA (beginning in 2026);
• Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
• Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
• Requires any data broker that receives a request to direct their service providers and contractors to delete the information (2026);
• Requires a data broker that denies a request to delete because the request cannot be verified to process the request as an opt-out of sale/sharing and to direct its service providers and contractors to do the same (2026);
• Allows “authorized agents” to assist consumers in making deletion requests (2026);
• Requires data brokers to undergo independent compliance audits every three years (beginning in 2028);
• Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.); and
• Gives the CPPA discretionary rulemaking authority to implement the new law.

Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act and similar California laws, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but also to many members of the advertising industry that collect and sell data but do not have a consumer-facing relationship.

What Did Opponents Argue?

In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn’t carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.

Why is this Significant?

As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).

The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it’s possible that other states will follow suit, amplifying these effects considerably.

Stay tuned as we continue to monitor this important topic.

Of note, Senators Blumenthal and Blackburn discussed the Kids Online Safety Act (KOSA) (their bill from last year, just re-introduced), which would impose a “duty of care” on tech companies and shield young people from harmful content. Senator Hawley, in turn, talked up his Making Age-Verification Technology Uniform, Robust, and Effective Act (MATURE Act), which would enforce a minimum age requirement of 16 for users of social media platforms. (As noted below, panelists were quite skeptical that this would work.)

The event highlighted, once again, the bipartisan interest in tackling the harms that minors face online. Here’s more detail on what happened:

First up, opening remarks from Chairman Durbin (D-Ill.), Ranking Member Graham (R-S.C.), and Senators Blumenthal (D-Conn.) and Blackburn (R-Tenn.)

Chairman Durbin kicked off the hearing by explaining that the internet and social media have become a threat to young people. He noted that while the Internet offers tremendous benefits, cyberbullies can hurt kids online via platforms like Facebook and Snapchat. Durbin stated that “we don’t have to take” the lucrative business that the platforms (who were not in attendance) have created to keep kids’ eyes glued to the screens. He said that the addictive nature of the platforms has created a mental health crisis – causing anxiety, stress, and body image issues, for example – which can lead to tragic results.

Sen. Graham announced that he and Sen. Warren (D-Mass.) are working on a bipartisan bill to create a Digital Regulatory Commission with the power to shut down websites that don’t engage in “best business practices” to protect children from sexual exploitation online. He also expressed concern about the lack of regulatory oversight for the abuses of social media.

Sen. Blumenthal promoted KOSA, and also committed to major reform of Section 230. Sen. Blackburn echoed these sentiments, describing social media as the Wild West: the kids are the product, there are very few rules, and data is taken and sold to advertisers. Blackburn added that she wants social media to be safer by default, not something that becomes safer after a consumer takes additional steps. She also said that she supports transparent audits of company practices.

Next, the Statements from Witnesses

Kristin Bride is a Survivor Parent and Social Media Reform Advocate whose son took his own life after being cyberbullied via anonymous messaging apps on Snapchat. She explained how she was ignored when she reached out to the apps for help in learning the bullies’ identities. Then, when she filed a class action against Snap, it was dismissed due to Section 230 immunity. While Snap did remove the anonymous messaging apps after she filed the class action, she has seen new apps pop up that charge children to reveal the identities of those sending harmful messages.

Emma Lembke, a sophomore in college and the founder of the Log Off movement, expressed frustration with being a passive victim of big tech, saying that social media led her to disordered eating. She also stressed the importance of including young people in efforts to effect change.

Michelle DeLaune is President and CEO of the National Center for Missing & Exploited Children. One of her chief concerns is companies’ use of end-to-end encryption. Encryption allows people to send messages that platforms cannot read or flag for harmful content. She described this as “turning off the lights” on content that exploits children.

John Pizzuro is the CEO of Raven and a former Commander of the Internet Crimes Against Children Department of the New Jersey State Police. He explained that police are overburdened with cybercrime reports, forcing them to become far more reactive and less proactive in protecting children online.

Dr. Mitch Prinstein, Chief Science Officer at the American Psychological Association, testified that many social media apps are directed to children. He said that the average teen picks up their phone over 100 times per day and spends over eight hours per day on social media, developing a clinical dependency. According to Prinstein, social media stunts kids’ ability to develop healthy relationships; increases loneliness, stress, anxiety, and exposure to hateful content; and causes lack of sleep. He supports more federal funding for research on the effects of social media, and believes that manipulating children and using their data should be illegal.

Finally, Josh Golin, Executive Director of Fairplay, said he supports policies to make the internet safe, non-exploitative, and free of Big Tech. He said that digital platforms are designed to maximize engagement because companies make more money the longer kids spend online. They use manipulative design and relentless pressure to entice kids to use the platforms as often as possible, thereby profiting from targeted ads. Golin supports limits on data collection; banning surveillance advertising based on teen's vulnerabilities; holding platforms liable for design choices that affect young people; and requiring transparency for algorithms.

Questions from the Committee

Committee members asked an assortment of questions, some related to kids’ privacy and others related to tech issues more broadly.

Sen. Durbin highlighted Section 230 immunity, which last year’s EARN IT Act would amend. Sen. Whitehouse (D-R.I.) also said he supported Section 230 reform and that he wants to see class actions like Ms. Bride’s be allowed to continue, rather than dismissed on immunity grounds. Sen. Hirono (D-HI) cautioned against a wholesale repeal of Section 230 and stressed that any reform should be done carefully. Sen. Graham reiterated his support for a Digital Regulatory Commission, while also noting that repeal or reform of Section 230 would be a step in the right direction.

Others, such as Sens. Lee (R-Utah) and Coons (D-Del.), asked questions about the complaints received by the National Center for Missing and Exploited Children, and said they support better research on the design choices of social media. Sen. Coons added that he supports new mandates for platforms, including a duty of care; limits on data collection from kids; and disclosures regarding how they manage content. (As to the latter, see Coon’s bill from last year here).

Sen. Blumenthal echoed the call for further research on social media, including as to the role that it plays in, on the one hand, harming members of the LGBTQ+ community, and, on the other, providing this community with access to important information and connections. Meanwhile, Sens. Blackburn and Grassley (R-Iowa) mentioned the link between social media and drug-overdose deaths, and Sen. Ossoff (D-Ga.) mentioned his legislation, with Grassley, to address child exploitation.

Rounding out the discussion, Sen. Cornyn (R. Tex.) described the online landscape as “designed” to “hoover up” children’s data and stated that he supports legislation to “attack the business model.” Sen. Klobuchar (D. Minn.) said she supports imposing a duty of care on companies, as well as requirements to stop companies from pushing harmful content in response to innocent queries (for example, serving content related to disordered eating in response to a search for “healthy food”). Sen. Welch said he wants to focus on companies that target more clicks to obtain more ad revenue.

Finally, Sens. Kennedy (R-La.) and Hawley both pushed for legislation that would ban children under 16 from using social media. The witnesses generally agreed that this is unrealistic.

* * *

That’s our snapshot of the hearing. The question now is whether Congress will move forward on kids’ privacy legislation and succeed in 2023 where it fell short in 2022. Some related questions are:

• Where is the House on this issue? Will it resume its push for general privacy legislation (see last year’s bipartisan ADPPA) or follow the Senate’s lead and focus more narrowly on kids?
• What about the Senate Commerce Committee, which typically leads on privacy issues and could take up other bills, such as Senator Markey’s COPPA 2.0, which Markey has said he will re-introduce this year?
• What will happen at the FTC, which has sidestepped its review of COPPA (at least for now) but whose “commercial surveillance” rulemaking could affect the kids’ and teens’ privacy?
• With the Supreme Court seemingly reluctant to alter the scope of Section 230, will Congress tackle this issue in a serious way?

Stay tuned as we continue to track these and other developments related to kids’ privacy.

From “Whack-a-Mole” to “Rule-a-Palooza”

What explains the change? For one thing, the FTC majority believes that the FTC’s former way of operating (which it often describes as “case-by-case enforcement” or even “whack-a-mole”) hasn’t adequately protected consumers and competition, warranting the creation of stricter, broader rules for the entire marketplace. For another, in the wake of the Supreme Court’s decision in AMG (holding that the FTC can’t obtain monetary relief under Section 13(b)), the FTC is increasingly relying on other legal tools to get money – notably, alleging rule violations wherever possible, which enables the FTC to seek civil penalties and/or consumer redress. Hence the desire for more rulemaking, or what Commissioner Wilson has described (in strongly worded dissents) as a “Rule-a-Palooza.”

Wide Variety (New vs. Amended Rules, Mag-Moss vs. APA)

Some of the FTC’s rulemakings would create brand new rules using the FTC’s authority (under Section 18 of the FTC Act) to define and prohibit “unfair or deceptive” practices. In the past, as we discuss here, this type of rulemaking (often called “Mag-Moss” rulemaking) has proved to be lengthy and cumbersome due to the multiple steps that Congress added in the 70s and 80s to reign in perceived overreach by the FTC. Such steps include two rounds of comments (an Advance Notice of Public Rulemaking or ANPRM and a Notice of Public Rulemaking or NPRM) and, in many cases, public hearings. In addition, because Mag-Moss rulemakings are initiated by the FTC without specific direction from Congress, they also tend to be controversial – especially when they are as broad and ambitious as some of the FTC’s current proposals are.

Other rulemakings would amend existing rules, using Mag-Moss (for rules originally developed that way) or the more streamlined procedures of the Administrative Procedures Act (APA) (for rulemakings specifically authorized by Congress). Notably, in many of the FTC’s pending proceedings, there’s still time to submit comments and potentially shape the final rule.

Key Rulemakings to Watch

Below, I provide a list of some of the FTC’s more significant pending rulemakings. This is by no means a complete list of the FTC’s regulatory activity, but it highlights the FTC’s most prominent and/or broad-ranging proposals. This list also omits the FTC’s many guidance documents (such as the “Green Guides” and Health Claims Guidance, discussed here and here), which provide interpretations of existing law but don’t carry the enforcement weight of a rule. For a more complete list of the FTC’s rulemakings and related activity, consult the FTC’s regulatory review calendar (showing the FTC’s schedule for reviewing existing rules), as well as its list of federal register notices (which includes new rulemaking proposals).

• GLB Safeguards – Breach Notification Proposal (APA update). In December 2021, the FTC proposed to amend the GLB Safeguards Rule to add a requirement that covered entities provide notice to the FTC of security breaches that meet certain criteria. The comment period closed in February 2022, so the FTC could finalize this proposal soon. See our earlier commentary here.
• Impersonation of Government and Businesses (new Mag-Moss rule). In October 2022, following an ANPRM and initial round of comments, the FTC proposed a new rule to ban impersonation fraud. This was/is Chair Khan’s first Mag-Moss rulemaking – normally a lengthy process, as noted above, but proceeding apace here, given the seemingly non-controversial nature of the subject matter. One twist is that the rule would cover, not just those directly perpetrating the fraud, but those that provide the “means and instrumentalities” for others to engage in fraud, as we discuss here. The comment period for the NPRM closed in December 2022, so, unless the FTC plans to hold a public hearing here, it could finalize this rule soon.
• Motor Vehicle Dealers (new APA rule). This proposal would ban deceptive pricing and surprise add-on products in the auto dealer industry. Many of the rule’s provisions track the FTC’s prior law enforcement in this area, but the rule would also ban charging for any add-on product that “would not benefit” the consumer. The comment period closed in September 2022, so a final rule could come soon.
• Earnings Claims (new Mag-Moss rule). Here,the FTC is exploring whether to issue a rule governing earnings claims, potentially across multiple topic areas and industries. Indeed, as we discussed here and here, the ANPRM sought information about whether to issue a rule prohibiting deceptive earnings claims (and potentially creating new disclosure, substantiation, and recordkeeping requirements) applicable to coaching and mentoring;work-from-home and “gig” work; multi-level marketing and direct selling;franchise and other business opportunities; investment offers; and other areas. The comment period for the ANPRM closed in May 2022, so the NPRM could come at any time.
• Commercial Surveillance and Data Security (new Mag-Moss rule). Among the FTC’s most closely watched rulemakings is its proposal to regulate “commercial surveillance,” data security, and other privacy issues. As we discussed here, the ANPRM in this matter was remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions, and raising issues that stretch the bounds of the FTC’s legal authority. The initial comment period closed in November 2022 (netting over 11,000 comments) and the FTC’s next step is to issue an NPRM with rule text. With Congress still stalled on general privacy legislation, we expect the FTC to forge ahead aggressively here.
• Reviews and Endorsements (new Mag Moss rule). The idea behind this rulemaking, launched in November 2022, is to potentially replace the longstanding Endorsement Guides with an enforceable rule. (Confusingly, though, the FTC sought comment on the Guides just months before proposing this rule.) Like the Guides, a rulemaking here could extend to deceptive endorsements, testimonials, and reviews across the marketplace – but with the threat of penalties and possibly more stringent requirements. The initial comment period just closed in January, and the next step is an NPRM.
• Funeral Industry Practices (Mag-Moss update). Also in November 2022, the FTC issued an ANPRM exploring whether to update its Funeral Rule to require that prices for funeral services be posted online and distributed electronically. Like the motor vehicle dealer proposed rule (above), this update would impact one industry but in a potentially big way. The comment period just closed in January, and the next step is a proposed rule.
• Business Opportunities (Mag-Moss update). In yet another November 2022 announcement, the FTC issued an ANPRM seeking comments on its existing Business Opportunity (Biz-Op) rule. As we discussed here, the ANPRM asked whether the rule should be expanded to cover offers related to coaching, mentoring, e-commerce, and/or investment opportunities (also mentioned in the Earnings Claims proposal above) and says that it will consider comments from the Earnings Claim proceeding in tandem. This suggests that the FTC may be considering the two rules to be alternatives – i.e., weighing whether it should create a new rule or expand the existing one. The initial comment period here just closed in January.
• Unfair or Deceptive Fees (“Junk Fees”) (new Mag-Moss rule). In keeping with the FTC’s longstanding focus on hidden fees, as well as more recent attention from the CFPB and even the President in his State of the Union speech, the FTC issued an ANPRM (again in November 2022) to explore whether to ban “unnecessary, unavoidable, or surprise charges that inflate costs while adding little to no value.” As we explained here, the FTC appears to be considering a sweeping regulation that covers multiple industries, prescribes the timing and placement of fee disclosures, and potentially requires one overall price or even prohibits certain types of fees. The initial comment period here just closed on February 8.
• Noncompete Clauses (new “Unfair Methods of Competition” rule.) Although this blogpost focus mostly on consumer protection rules, I would be remiss if I didn’t highlight the FTC’s recent proposal to ban noncompete clauses as an “unfair method of competition.” As we explain here, here, and here, the FTC’s proposal would regulate virtually every labor relationship in the US and raises a host of legal and compliance questions. Still, because it’s proceeding under the APA, it could move fairly quickly, at least in theory. The comment period closes on March 20 (though multiple parties have requested an extension) and the FTC is holding a public hearing on February 16.
• On the back burner? Finally, it’s worth a reminder that the FTC’s review of the COPPA Rule (pending since 2019 and netting over 176,000 comments) appears to be on ice, likely because the FTC (1) has been able to bring aggressive enforcement actions (e.g., EPIC and Google/YouTube) and issue policy interpretations without the need for a resource-intensive rulemaking; and (2) is waiting to see whether Congress passes kids’ privacy legislation (a real possibility), which could significantly affect COPPA’s requirements. Recent remarks by Commissioners Slaughter and Bedoya seem to confirm that updating COPPA isn’t a top priority.

Similarly, the FTC hasn’t taken action on it 2020 review of the Health Breach Notification Rule, likely because it has found it easier to advance a broad interpretation of the rule through a policy statement, business guidance, and a recent high-profile settlement.

As noted above, there’s still time to affect the outcome of some of these rulemakings by submitting a comment to the FTC. In the meantime, we’ll be tracking these proceedings and highlighting key developments here.

Registration requirements would apply to companies using form contracts (contracts drafted prior to the transaction for use in multiple transactions between the company and consumers). In addition, the form contracts must contain certain “covered terms and conditions,” as described below. This information would be made publicly available on the CFPB’s website.

The terms and conditions targeted by the CFPB proposed rule are:

• limits on consumer ability to bring a legal action by dictating the time frame, forum, or venue for a consumer to bring a legal action;
• inclusion of arbitration agreements;
• limits on ability to bring or participate in class action lawsuits;
• limits on the company’s liability to consumers including by capping the amount of recovery or type of remedy;
• waivers of claims consumers can bring in a legal action;
• limits on the ability of consumers to complain or post reviews; and
• waivers of other identified legal protections afforded under Constitutional law, a statute or regulation, or common law.

Some of these limitations are already prohibited under other statutes. For example, any contract term limiting consumers’ ability to complain or post reviews is already prohibited under the Consumer Review Fairness Act, discussed in more detail here.

But many other proposed terms and conditions are ubiquitous in financial company form contracts. For example, many companies include arbitration agreements in their terms and conditions and place limits on consumers’ ability to bring a legal action by specifying the time frame, forum, or venue for such legal action. Such contractual terms would trigger the need for CFPB registration under the new proposed rule, which could in turn trigger subsequent scrutiny under the Bureau’s UDAAP authority. Similarly, many form contracts limit the company’s liability to a consumer in one way or another, which is another “covered” term requiring registration. Indeed, as currently drafted, the CFPB’s proposed rule may result in the majority (if not all) of nonbank financial institutions needing to register contracts in the CFPB’s registry for public disclosure.

In promulgating this proposed rule, the CFPB relies on its CFPA mandate to monitor for risks to consumers in consumer financial products and services, and to conduct a risk-based supervision program for nonbanks (see CFPA §§ 1022(c) and 1024(b)). The information gathered in the registry would be used to aid in such monitoring and supervision efforts, as well as to inform the agency’s enforcement, consumer education, and rulemaking functions. Finally, the registry is intended to aid in enforcement actions by other regulators and raise public awareness about the use of covered terms.

Given the widespread use of form agreements, now is a good time to determine whether any of your company’s contract terms are covered under the proposed CFPB rule, and, if so, whether changes are in order. The specific terms and conditions included in the CFPB proposed rule signal regulators’ particular interest and likely increased scrutiny of these types of provisions in financial contracts.

Comments on the proposed rule are due by March 13, 2023.

Notably, the ANPR did not identify specific proposals under consideration for expanding the scope of the Rule other than to highlight work-from-home programs, investment coaching programs, and e-commerce opportunities as generally outside the scope of the current BOR. The ANPR also notes that the Commission may consider comments previously submitted in response to the ANPR on Earnings Claims as an admittedly related endeavor (which we discussed here) and noted that it “solicited and received comments about the following industries: multilevel marketers, for-profit schools, and gig platforms” for that ANPR. Today’s ANPR does not otherwise specifically address direct selling companies, for-profit schools, and/or the gig economy, although it remains possible that revisions to the BOR could potentially sweep in practices of those groups.

What is the “Business Opportunity Rule”?

The BOR as currently written applies a “commercial arrangement” in which a “seller solicits a prospective purchaser to enter into a new business”; the “prospective purchaser makes a required payment”; and the “seller, expressly or by implication, orally or in writing, represents that the seller or one or more designated persons will” either (1) provide locations for the purchaser’s equipment, such as a vending machine; (2) provide outlets, accounts, or customers for the purchaser’s goods or services; or (3) buy back any or all of the goods or services that the purchaser makes or provides. The BOR was an outgrowth of the initial Disclosure Requirements and Prohibitions Concerning Franchising and Business Opportunity Ventures Rule, which was later divided into the Franchise Rule and the BOR.

The BOR requires sellers of business opportunities to provide a highly prescriptive disclosure document that includes information about possible earnings and related substantiation, involvement in certain legal actions, cancellation or refund policies and related terms, and a list of references who have purchased the business opportunity in the last three years. The current BOR also includes a list of prohibited claims and misrepresentations and prescribes requirements for sales in languages other than English.

What is the FTC Seeking Comment on?

The ANPR seeks comments on a series of specific and general issues related to the BOR, including:

• Whether the BOR or any specific provisions of the BOR should be retained, eliminated, or modified;
• Whether the BOR should be expanded to more broadly cover other types of moneymaking or business opportunities, including coaching or mentoring programs, e-commerce opportunities, and investment opportunities;
• Whether the BOR overlaps or conflicts with other federal, state, or local laws or regulations;
• Whether there amendments are necessary to address practices that disproportionately affect low-income communities, communities of color, and other historically underserved communities.

Prohibiting junk fees may sound uncontroversial in the abstract, but what does it mean in practice? We concentrate here on the FTC’s ANPR given its potential breadth and impact on a host of industries including travel, delivery services and others in the gig economy, restaurants, and e-commerce sites.

What is a “Junk Fee”?

The ANPR uses the term “junk fees” to refer to “unfair or deceptive fees that are charged for goods or services that have little or no added value to the consumer, including goods or services that consumers would reasonably assume to be included within the overall advertised price.” According to the FTC, the term includes, but is not limited to “hidden fees,” which are fees disclosed only at a later stage of the customer experience or potentially not at all.

The ANPR references a host of industries that allegedly charge junk fees, such as hotels that charge “resort fees” and online ticket sellers that charge transaction fees. The Commission also cites specific enforcement actions as support for its initial conclusion that junk fees are “prevalent,” which as we’ve previously discussed is a requisite determination to proceed past the ANPR stage to a proposed rule under the FTC’s Magnuson-Moss Rule authority. Those enforcement actions date back 18+ years and include actions related to mobile cramming, connection and maintenance fees on prepaid phone cards, account fees, resort fees, membership programs, and merchandise fees.

What is the FTC Seeking Comment on?

The ANPR seeks comments on a host of issues related to the prevalence and justification for certain fee and disclosure practices, including:

• The prevalence of failing to disclose in advertisements or at the initial stages of the customer experience the total cost for a good or service;
• The prevalence of failing to disclose whether certain fees, interest, charges, or costs are reasonably avoidable and/or mandatory to the consumer;
• The capacity to require “all-in-pricing” in advertisements and at every stage of the customer experience, and whether such “all-in-pricing” should include taxes in addition to fees; and
• The need for a new rule addressing fees and disclosure practices and whether a one-size fits all approach works across industries.

Inherent in many of the FTC’s questions is the premise that fees harm consumers and competition, and that such fees do not serve legitimate business purposes. The ANPR also seems to assume without elaboration that consumers do not reasonably expect fees in certain industries, such that they are necessarily deceived when such fees are not clearly and conspicuously disclosed in advertisements. In addition to the issues specifically identified in the ANPR, these topics would be well-suited for comment prior to the January 9 comment deadline.

Potential Obstacles to a Far-Reaching “Junk Fees” Rule

As we’ve discussed in prior posts (see here and here), the FTC’s authority to promulgate rules is limited because it must meet a number of substantive and procedural requirements along the way, including making a finding that the prohibited unfair or deceptive practices are prevalent, explaining how the rule prohibits such prevalent unfair and deceptive practices, and analyzing the economic effect of the rule.

In a dissenting statement, Commissioner Wilson raised both procedural and substantive questions related to the ANPR. While noting her agreement in principle in ensuring that consumers (1) have access to sufficient information to make informed decisions and (2) are not charged for products or services they did not agree to purchase, Commissioner Wilson questioned the need for a rule, particularly one of the potential breadth suggested in the ANPR. Along those lines, the rule is likely to implicate “vast economic and political significance,” which could in turn raise constitutional questions under the Supreme Court’s recent decision in West Virginia v. EPA.

Commissioner Wilson also questioned whether a rule was necessary in the first place, given that the FTC has initiated enforcement actions to prevent unfair and deceptive fee practices and is specifically empowered under certain statutes like the Truth in Lending Act and the Restore Online Shoppers’ Confidence Act to obtain civil penalties for violations.

How Does this Relate to the CFPB’s Junk Fees Initiative?

The CFPB – with former FTC Commissioner Rohit Chopra at the helm – has previously led the charge against “junk fees.” Indeed, back in January 2022, the CFPB issued a request for information on back-end junk fees charged in connection with consumer financial products and services. And last month, the CFPB issued guidance warning companies that it planned to bring enforcement actions under its unfairness authority where companies charge overdraft and depositor fees that a consumer would not reasonably expect.

But, as recognized in the FTC’s ANPR, the CFPB’s authority is limited to consumer financial products or services. Enter Chair Khan and the FTC’s ANPR, which by its own account is intended to be far-reaching and address fees across a wide array of industries. Time will tell, but it’s possible that the CFPB charted the path for an FTC rule that will ultimately have a much more profound and widespread effect.

Here, the Fifth Circuit panel unanimously held that, although the Bureau did not exceed its statutory authority in promulgating the Rule, it “lacked the wherewithal to exercise that power via constitutionally appropriated funds.” The panel held that Congress’s decision to cede its power of the purse to the Bureau violates the Appropriations Clause of the Constitution and the clause’s underpinning, the constitutional separation of powers. As such, the court reasoned that while most of “Plaintiffs’ claims miss their mark, . . . one arrow has found its target” and the Payday Lending Rule could not stand given the Bureau’s unconstitutional funding mechanism “deprived [it] of the lawful money necessary to fulfill those responsibilities.”

The CFPB’s funding method was established in the 2010 Dodd-Frank Act. Rather than receiving funding through annual congressional appropriations, the Bureau receives funding directly from the Federal Reserve—eliminating the periodic assessments that accompany congressional appropriations analyses. The Federal Reserve, which itself exists outside the appropriations process, must grant the CFPB’s self-directed funding requests up to a certain cap. Although other federal financial regulators also receive funding from independent sources, the panel held that its structure “goes a significant step further than that enjoyed by other agencies”—pointing to the Bureau’s double-insulation from Congress’s purse strings coupled with its singular director and expansive enforcement authority.

In the near term, the Bureau will continue to be unable to enforce the Payday Lending Rule, but its immediate practical impact on other CFPB efforts is likely to be limited. The agency is likely to seek a stay and petition the full Fifth Circuit for an en banc review, but the decision could lead to an increase in litigation challenging other Bureau actions, whether rulemaking or enforcement, that are supported of course by the same funding mechanism found to be unconstitutional.

The Fifth Circuit’s holding differs from certain other courts that have heard the issue, so the split may ultimately find its way before the Supreme Court. Regardless of ultimate impact and outcome, Wednesday’s decision is another example of recent judicial scrutiny of regulatory authority, which has impacted regulatory and enforcement activities at a number of agencies including the CFPB, FTC, and EPA.

For textiles, the law requires manufacturers to provide retailers and distributors with a certificate of compliance stating that the product does not contain any “regulated PFAS,” which are defined as PFAS “that have a functional or technical effect in the product.” Further, the ban applies to PFAS present in textile articles present above certain minimum thresholds, as measured by total organic fluorine content: 100 parts per million as of January 1, 2025, with a reduction to 50 parts per million in 2027.

The law also requires a manufacturer to use the “least toxic alternative” when replacing regulated PFAS in textile articles. The term “least toxic alternative” is not defined in the legislation but presumably envisions a process similar to the “Alternatives Analysis” required for manufacturers of products subject to the state’s Safer Consumer Products (SCP) program.

Notably, the PFAS prohibition is delayed until 2028 for “outdoor apparel for severe wet conditions.” Such products, however, must be clearly labeled as “Containing PFAS chemicals” starting January 1, 2025. Full exemptions from the ban are provided for “personal protective equipment” (PPE) and “clothing items for exclusive use by the United States military.” Carpets and rugs are excluded from the ban as they are currently regulated under the SCP program.

The cosmetics ban extends a previous California law prohibiting 13 specific PFAS chemicals to all of the thousands of different PFAS substances in existence. No minimum PFAS content threshold is provided in the law, which may present a challenge to companies seeking to demonstrate that PFAS have not been intentionally added to a cosmetics product and that any amount identified is from contamination in raw materials, water or other unknown sources.

While the California ban is among the most aggressive legal prohibitions related to PFAS in products, the scope of the ban does not go as far as recent legislation adopted in Maine, which applies to all products containing intentionally added PFAS (unless for “unavoidable uses” which have yet to be defined). The California prohibition, however, goes into effect much sooner (starting in 2025) than the 2030 ban in Maine. (Maine has banned PFAS in carpets and rugs as of 2023.)

Governor Newsom also declined to further extend California’s PFAS regulations by vetoing legislation that would have required consumer product manufacturers to submit annual reports on intentionally added PFAS in all products and product components beginning in 2026. In 2021, Maine adopted a similar reporting requirement that goes into effect January 1, 2023.

With the final adoption of the California PFAS prohibitions, all eyes now turn to New York, where Governor Hochul is weighing signature of legislation passed earlier this year to ban intentionally added PFAS in apparel starting in 2024.

Find out more on PFAS on our Kelley Green blog.

Join us on Thursday for a webinar discussing how to operationalize adtech privacy compliance, and learn about other ways you can stay informed.

Operationalizing Adtech Privacy Compliance: Understanding the IAB Multi-State Privacy Agreement

Responding to the industry’s need for a solution, the Interactive Advertising Bureau (IAB), working with various stakeholders, has prepared the Multi-State Privacy Agreement (MSPA). The MSPA is designed to help publishers, advertisers, agencies, and adtech intermediaries address some of these privacy contract and choice obligations throughout the supply chain, while also providing publishers and advertisers with flexibility in operationalizing on a national basis or apply state-specific approaches.

Please join us for a discussion on Thursday, September 29, at 1:00 pm Eastern with IAB’s Michael Hahn and Tony Ficarrotta to discuss the structure of the MSPA and how the MSPA solves significant digital advertising industry compliance challenges. The discussion will also cover the changing regulatory landscape, such as the California Privacy Protection Agency’s rulemaking process, and how the MSPA is positioned to respond to those changes.

Please register here to attend this event.

Ad Law News and Views Back to School Issue

Ad Law Access App

Find All Our Information

Here's the Mission Statement from the FY 2018-2022 plan, which generally tracks wording that the FTC has used for decades:

• Protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity (emphasis added).

• Protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

Indeed, some of the Commission’s recent actions convey the same troubling message. For example, as we discuss here, the FTC’s ANPR on “commercial surveillance” addresses the benefit of privacy regulation in great detail but says very little about the potential costs of such regulation on consumers, competition, and legitimate business activity.

Here’s a quick reminder of why this phrase and the principle it embodies is so important: For years, it has communicated that, in enforcing the law and developing regulations, the FTC will tailor its allegations, prohibitions, and remedies to illegal conduct, and will take care to preserve the legitimate business functions that provide products and services to consumers and maintain our vibrant, competitive economy. In other words, the FTC has recognized that legitimate business activity benefits consumers and competition, and has consistently made a public commitment to preserve it.

In addition, as we detailed in our prior post and comment, the concept of preserving legitimate business activity is integral to many laws and policies that have long governed the agency’s authority and processes – including unfairness, deception, substantiation, “fencing in,” and precedent governing unfair methods of competition.

The FTC’s mandate – to prevent deceptive, unfair, and anticompetitive practices – is essential to maintaining a thriving economy that serves and protects the American public. So is preserving the legitimate business activity that consumers across this country rely upon every day.

• Pre-suit/investigation notice requirements for Attorneys General
• Additional information on the scope of Attorneys General investigative authority and how to challenge an investigation
• Consumer Complaints: differences among the AGs on handling and use

July 20

RSVP

Find more upcoming sessions, links to replays and more here

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

State Attorneys General 101 Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National Association of Attorneys General (NAAG) for State Attorneys General 101. This webinar will cover the basics of State AG consumer protection powers, what to expect if you find yourself a target of attorneys general investigation, how to look to state attorneys general to stop improper actions of competitors, and more. RSVP HERE

IAB Public Policy & Legal Summit 2022 Kelley Drye is a premier sponsor of the IAB Public Policy & Legal Summit 2022, which brings together global leaders in advertising, media, technology, and the government to discuss how organizations can lean into the coming transitions and find solutions that will enable them to build a sustainable and consumer-centric media and marketing ecosystem. Privacy practice Chair Alysa Hutnik (Solving for State Privacy Law Complexity: CPA, VCDPA, UCPA, and Beyond) and Of Counsel Jessica Rich (The FTC During the Biden Administration) will speak at this free virtual summit today. REGISTER HERE

June 14

June 23

This complimentary event is by invitation only. If you or a colleague are interested in receiving an invitation, please contact [email protected].

July 20

Other Ways to Stay Informed

• Ad Law Access App - available as a free download in the Apple App Store and Google Play, and can be used on iPhone, iPad, and Android devices
• Ad Law Access Blog (Subscribe) – Where we regularly cover advertising and privacy law developments
• Ad Law Access Daily Podcast – The Ad Law Access Daily podcast is available from a number of services (Apple, Spotify, Google Podcasts, SoundCloud and many other podcast services)
• Advertising and Privacy Law Resource Center – Addresses key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling
• Ad Law News and Views Newsletter (Subscribe) – Compiles all of our recent Advertising Law news and analysis in one place
• State Attorneys General News and Map - Updated State Attorneys General map and daily news feed

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.

Quick and Costly Potential CPPA Enforcement

Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses (and contractors, service providers, and third parties) to task for perceived non-compliance with privacy obligations. Among all of the proposed changes in the draft regulations, the enforcement provisions should cause many companies, regardless of their role, to pause and evaluate whether they’ve allocated sufficient resources to address privacy compliance. While there is not a privacy private right of action under the CCPA/CPRA, the draft rules set forth a new increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies and costly.

First, while there are provisions about requiring consumers to file sworn complaints, the CPPA provides that it can accept and initiate investigations on unsworn and anonymous complaints too. For every sworn complaint, the CPPA must notify the consumer complainant in writing of what actions the Agency has taken or plans to take and the reasons for action or non-action. Because the Agency has to respond to each complaint, this could turn into a routinized process of a high volume of complaints forwarded to businesses, with tight timeframes to respond in writing or else face violations and administrative fines.

The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.” There is no mention of extensions of time for good faith reasons. Under the statute, the CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency's consideration of the alleged violation.” The notice must contain a summary of the evidence, inform the company of their right to be present “in person and represented by counsel.” The “notice” clock starts as of the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. It’s possible this process occurs through the forwarding of unverified consumer complaints.

Under the draft rules, a company can request the proceeding be made public if they make a written request at least 10 business days before the proceeding. A company has a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted in whole or in part by telephone or video closed to the public. Participants are limited to the company representative, legal counsel, and CPPA enforcement staff. The CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.

The CPPA makes a determination of probable cause at such proceeding “based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.” If a company does not participate or appear, it waives “the right to further probable cause proceedings” (it’s not clear in the draft rules whether that is limited to the facts of that matter, or future alleged violations) and a decision can be made on the information provided to the CPPA (such as through a complainant).

The CPPA then issues a written decision and notifies the company electronically or by mail. Of concern, the draft rules provide that this determination “is final and not subject to appeal.” Under the statute, violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors. Multiple parties involved can be held jointly and severally liable. It’s conceivable that violations may be calculated on any number of factors that could add up substantially, and as contemplated by these draft rules, there is no process to challenge such judgments, including if there are factual or legal disputes. One can imagine future legal proceedings that challenge a variety of the legal bases for such a structure if these rules are finalized as drafted.

Service Provider Requirements and Restrictions

Data Privacy Addendums Get a Further Tune Up, and Open Question on Whether They Need to be Bespoke. One aspect of state privacy law compliance that has consumed much resources and time are the service provider contracts. Who is a service provider? What must the contract say? What restrictions apply to service providers (or contractors)? The draft rules continue to add more obligations.

One must have a written contract in place that meets all of the requirements outlined below to even qualify as a service provider and contractor. The contract requirements are very granular, and go beyond what most current privacy addendums (or technology provider terms and conditions) look like today, and include:

• Restrictions from selling or sharing the business’s personal information.
• Identify which specific business purposes and services are required for processing the business’s personal information, and that such disclosure occurs only for the limited and specified business purposes set forth in the contract. This cannot be stated generally with reference to the agreement, but rather requires a specific description.
• • This language suggests that a one-size-fits-all data processing agreement for all vendors processing personal information for different business purposes or functions might not be sufficient, which is very concerning from a resource and practicality standpoint.
• Restricting the processing of personal information outside or for any other purpose from those business purposes in the contract, including to service a different business, unless permitted by the CCPA. Awkwardly, the proposed rule suggests that all of the specific business purpose(s) and service(s) identified earlier would need to be restated as part of the restrictions.
• • On this last point, the draft rules underscore this specific example: “a service provider or contractor shall be prohibited from combining or updating personal information received from, or on behalf of, the business with personal information that it received from another source unless expressly permitted by the CCPA or these regulations”
• Requiring compliance with all applicable provisions of the CCPA, including providing the same level of privacy protection as applicable to businesses, to cooperate with the business for handling consumer rights requests, and reasonable data security provisions.
• Reasonable audit provisions to ensure CCPA compliance, such as “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
• Notification to the business within 5 business days if the service provider/contractor determines it cannot meet its obligations.
• Providing the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor, such as “to provide documentation that verifies that [the service provider/contractor] no longer retain[s] or use[s] the personal information of consumers that have made a valid request to delete with the business.”
• Provides that the business will notify the service provider/contractor of any consumer rights request and provide the information necessary for the service provider/contractor to comply with the request.

The Limitations on Internal Use of Customer Data by a Service Provider/Contractor. The draft rules provide that a service provider/contractor is restricted from using customer personal data for its own purposes, except for internal use to build or improve the quality of its services, provided that the service provider/contractor does not use the personal information to perform services on behalf of another person in a manner not permitted under the CCPA. This language is notably different from the governing CCPA rules. Based on the examples outlined below, and the admonition above that the service provider cannot combine or update personal information received from another source unless permitted by the CCPA, makes it ambiguous as to when updating personal information crosses the line. From the examples, it suggests that where such functions are to facilitate personalized advertising or data sales, they would not fit within a service provider/contractor role.

Use for Analysis/Data Hygiene (Sometimes). The draft rules set forth two examples that seem to allow some analysis and data correction under particular circumstances. For example, the first illustration emphasizes that the service provider/contractor can analyze how a business customer’s consumers interact with company communications to improve overall services, and the second example highlighted that a service provider/contractor can use customer data to identify and fix incorrect personal information that, as a result, would improve services to others. The draft rules underscore, however, that a service provider/contractor could not compile (e.g., enrich/append) personal information for the purpose of sending advertising to another business or to sell such personal information.

Data Security/Fraud Prevention. Consistent with the statute, the draft rules allow service providers/contractors to use and combine customer personal information “[t]o detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”

Other Legal Purposes. The draft rules acknowledge that a service provider/contractor can use customer data to comply with other laws, lawful process, to defend claims, if the data is deidentified or aggregated, or does not include California personal information.

Advertising Service Provider Functions Look Limited. The draft rules acknowledge a business can engage a service provider/contractor for advertising/marketing services if the services do not combine opted out consumer data from other sources. The draft rules also affirmatively reiterate that an entity who provides cross-contextual behavioral advertising is a third party and not a service provider/contractor.

• As an example of what would cross the line, the draft rules provide that a service provider/contractor can provide non-personalized advertising based on aggregated or demographic information (ads based on gender, age range, or general geographic location), but could not, for example, share the business’s customer information with a social media platform to “identify users on the social media company’s platform to serve advertisements to them.” This example is stated without qualification to what commitments the platform has provided on its own use and restrictions as to such data, or if and how any other permitted “business purposes” under the CPRA may apply.
• In another example, the draft rules provide that an advertising agency can be a service provider/contractor by providing contextual advertising services. Again, this example is set forth without reference to any other business purposes that may apply. However, one wonders whether the enforcement structure may inhibit broader interpretations where functions involve personalized advertising and analytics.

Notice at Collection. The draft rules have new language that, in the context of “notice at collection” provide that when more than one party controls personal information collection, such as in connection with digital advertising, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices. As an example:

• A “first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

Honoring Opt Outs. Section 7051 provides that third parties are directly obligated to honor opt outs, including as conveyed through a global privacy signal or otherwise on a first-party business’s site hosting the third party’s tag collecting personal information, unless the first-party business informs the third party that the consumer has consented to the sale/sharing, or “the third party becomes a service provider or contractor that complies with the CCPA and these regulations.”

• This latter provision is interesting because it suggests implicit support for frameworks, such as IAB’s LSPA, where a contract that contains commitments around use of personal data post-opt outs can support a continued service provider role.

* * *

JOIN US

Separately, join us as Kelley Drye privacy lawyers provide observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals. Register here.

Given the rapidly evolving situation in Ukraine, we thought it would be helpful to offer our AdLaw Access readers a link to the ongoing guidance being published by our Export and Sanctions Team at Kelley Drye. For more information on the situation and how it may impact your business, please contact our Export and Sanctions Team - Rob Slack at [email protected] or Eric McClafferty at [email protected].

If you would like to receive daily updates from our sanctions team, please contact Heather Tighe ([email protected]).

Our International Trade Practice also maintains the Trade and Manufacturing Monitor blog.

Prop 65

Our friends at Kelley Green Law Blog get the starting position for this issue by highlighting a precipitous uptick in the number of Prop 65 filings over the prior year. While the Covid-19 pandemic caused all sorts of disruptions to society and the economy, at least one area of business has thrived over the last two years: private plaintiff enforcement of California Proposition 65. In 2020-2021, over 40% more Prop 65 actions were brought by private plaintiff “bounty hunters” than in the two years prior to the pandemic (2018-2019). Compared to a decade ago, private plaintiff groups now initiate three times more Prop 65 actions each year, and five times more than in 2008. Learn more here about the most frequently cited chemicals and those that are emerging, including PFAS.

Notable Dishes From the Food Court

The close of 2021 included two notable class action decisions for the food industry. In the first, Bolden v. Barilla America, Inc., the Northern District of Illinois denied a motion to dismiss various state law consumer fraud and express warranty claims alleging that Barilla deceptively labeled its pasta sauces as containing no preservatives, even though the products contain the known preservative citric acid. However, the court granted Barilla’s motion to dismiss the implied warranty claim for lack of privity, and as also dismissed the negligent misrepresentation claim because it was barred by the economic loss doctrine. The court also denied the plaintiffs’ request for injunctive relief, ruling that they could avoid Barilla’s allegedly deceptive products by purchasing other branded sauces.

In the second, Warren v. Whole Foods Market Group, Inc., the Eastern District of New York dismissed claims that Whole Foods Markets tricked consumers into believe its instant oatmeal product was sugar-free or low in sugar by using allegedly misleading phrases such as “dehydrated cane juice solids” and displaying picture of fresh raspberries on the label. The court found that, in the absence of any express claim that the product was sugar-free or low in sugar, consumers are “trained to look” to the ingredient list, which disclosed the use of dehydrated cane juice solids, and found it “improbable” that reasonable consumers would gloss over the words “Sugar 11 g,” which were prominently displayed in the nutrition panel immediately next to the ingredient list and, in the court’s view, “hard to miss.”

In January, the Southern District of New York followed the overwhelming number of courts that dismissed “vanilla” claims throughout 2021. In this most recent case, Santiful v. Wegmans Food Markets, Inc., the plaintiffs had alleged that the use of the words “vanilla” and “naturally flavored” on the label of Wegmans’ Gluten Free Vanilla Cake Mix misled consumers into believing that the product was flavored mainly from vanilla beans when it allegedly contained artificial flavors. The court disagreed, finding that the vanilla representations conveyed to consumers the flavor of the product rather than the specific ingredients used to impart that flavor. As to the artificial flavoring aspect of the complaint, the court held that that because the ingredients that contributed to the vanilla flavoring (ethyl vanillin, vanillin, maltol and piperol) can be artificial or natural depending on how they are derived, the plaintiffs were required to allege exactly how these ingredients were derived for this product. Because they had not done so, the court dismissed the complaint but permitted the plaintiffs to file an amended complaint.

Food Filings Trends

Furthering one of the growing trends of the last year, 2021 ended and 2022 started with a number of new “ingredient” class actions, including three suits challenging the use of non-dairy ingredients in “fudge”-based products, as well as others challenging the use (or rather, lack of use) of real cinnamon in cinnamon-flavored cereal, the lack of butter in “butter snaps pretzels,” and the minimal use of whole grains in various cracker products. We also saw a number of new “natural” and “preservative-free” lawsuits, and multiple new lawsuits challenging “healthy” marketing claims and protein content claims.

Hot Tip: For those reviewing or refreshing food labels, here are a couple of practical watch-outs:

• Terms that are subject to a “standard of identity,” i.e., a regulatory definition for what must be in a product to bear a particular name. Using defined names without meeting the regulatory definitions is increasingly drawing scrutiny.
• Multi-function ingredients such as malic acid, citric acid or fumeric acid, which can perform multiple functions in a product in conjunction with claims such as “preservative free”. Even if not acting as a preservative, courts have been reticent to dismiss claims of false advertising where the product include a multi-function ingredient and a claim that directly relates to one of those functions.

What’s in a name? NAD determined that Goli Nutrition had a reasonable basis for use of the name Apple Cider Vinegar (ACV) Gummies but also found that the advertiser could not substantiate that the gummies provided the health benefits typically associated with ACV and thus recommended that the advertiser qualify the use of ACV – including in the product name – to avoid conveying unsupported health benefit claims.

In a challenge brought by Bragg Live Food Products, maker of a competing apple cider vinegar shot, Bragg took issue with Goli’s use of “apple cider vinegar” in the product name, alleging that they do not contain enough acetic acid to qualify as apple cider vinegar or an ACV supplement. As such, Bragg also alleged that Goli's use of the term "vinegar" in the product name and labeling runs afoul of FDA labeling requirements and Goli’s gummies have little chemical similarity to apple cider vinegar or a true ACV supplement.

More specifically, Bragg alleged that Goli’s gummies did not have sufficient acetic acid to be labeled “vinegar” per FDA’s regulations and also fell short of the 5% naturally occurring acetic acid concentration found in traditional ACV. Goli countered that its ingredient is made from dehydrated apple cider vinegar. In support of its argument, Goli submitted Specification and Cook Sheets indicating that the apple cider vinegar powder component contained 5.88% acetic acid along with multiple laboratory tests demonstrating acetic acid at 25-33 mg. Based on this, NAD determined that Goli had established a reasonable basis for its product name.

NAD then examined Goli’s advertising for its ACV product, which “created a powerful connection between the product and the expected health benefits of ACV” based on the combination of visual imagery and product scenes featured in ads. In evaluating the substantiation for those claims, NAD noted that the accepted threshold dose of liquid apple cider vinegar is one tablespoon, which delivers 750 mg of acetic acid. When consumed as directed or even at a modified dose, NAD found that the Goli gummies provided far less than 750 mg of acetic acid and that the advertiser did not provide support for a health benefit below that level. As such, NAD recommended that Goli discontinue or modify its advertising to avoid conveying the unsupported message that the amount of ACV contained in its gummies are associated with the health benefits of traditional liquid ACV. NAD noted that this includes modifying or qualifying the use of “Apple Cider Vinegar,” “ACV,” or “Vinegar” including in its product name when in the context of the challenged advertising so as to avoid conveying an unsupported implied health message.

Unsurprisingly, Goli is appealing the decision to the NARB. Given the popularity of ACV and gummies generally, this is one to watch.

***

FDA

The big news at FDA is that the agency finally has a confirmed commissioner after over a year without one. Dr. Robert Califf was narrowly confirmed by the Senate earlier this week.

In a sign of things getting back to “normal,” FDA also announced that it will be resuming in-person inspections for domestic facilities.

FDA released a list of guidance topics that the FDA Foods Programs expects to publish by the end of December 2022, which includes the following:

• Labeling of plant-based milk alternatives
• Labeling of plant-based alternatives to animal-derived food
• Multiple guidance documents relating to hazard analysis for various food types
• Three guidance documents relating to heavy metal levels in foods
• Two guidance documents relating to the new dietary ingredient process
• Guidance relating to testing methods for asbestos in cosmetic products that contain talc

***

The FTC and state attorneys general are also hard at work. Companies that offer a subscription service or autoship options will want to pay attention to guidance and enforcement regarding allegedly deceptive practices, now branded as “dark patterns”. See here and here for our expert analysis on these topics.

And finally, in-house counsel should check on whether their marketers may be cherry-picking reviews in a way that could be deceptive. The FTC’s settlement with Fashion Nova regarding failure to post negative reviews is a helpful lesson for any company that curates reviews, whether manually or by algorithm.

***

As we previously discussed here, the Bureau’s January 2020 policy statement announced three new principles that it planned to apply relative to its abusive authority: (1) consideration of consumer harm and countervailing benefits, principles that parallel the second prong of the “unfairness” standard; (2) avoiding add-on abusive allegations when the facts are similar to unfairness or deception allegations; and (3) avoiding civil penalties or disgorgement when making abusive allegations if the covered entity made a good faith effort to comply with the law.

In announcing the rescission of the policy statement today, the Bureau asserted that the “2020 Policy Statement was inconsistent with the Bureau’s duty to enforce Congress’s standard” and noted that “the CFPB intends to exercise its supervisory and enforcement authority consistent with the full scope of its statutory authority under the Dodd-Frank Act as established by Congress.” As a refresher, in passing the Dodd-Frank Act creating the CFPB, Congress newly conferred the Bureau with authority to prohibit “abusive acts and practices,” a new authority that other consumer protection regulators like the FTC had not held. Under Dodd-Frank, an act or practice is abusive if it:

• Materially interferes with someone’s ability to understand a product or service;
• Takes unreasonable advantage of someone’s lack of understanding;
• Takes unreasonable advantage of someone who cannot protect themselves; or
• Takes unreasonable advantage of someone who reasonably relies on a company to act in their interests.

The Bureau has generally used its abusive authority sparingly. In those few cases where it has specifically alleged abusiveness, it wasn’t clear that the Bureau couldn’t have brought the allegations under either an unfairness or deception theory.

Of course, it remains to be seen how the Bureau will use its abusive authority when nominee Rohit Chopra is confirmed as director, as expected. Chopra’s nomination was sent to the Senate this week after the Senate Banking Committee vote resulted in a 12-12 tie. As we discussed here and here, Chopra is expected to be an enforcement minded director with an eye toward novel and creative interpretations of Bureau authority. The announcement today may foreshadow one of Chopra’s initiatives and usher in a new focus on the Bureau’s “abusive” authority under his leadership.

* * *

Subscribe to our Ad Law News and Views newsletter to get our most recent advertising and privacy law news and analysis all in one place.

While EPA has long prioritized enforcement of the rules governing antimicrobial products (disinfectants and the like), the current pandemic has elevated that focus substantially, particularly against products that claim or suggest effectiveness in fighting coronavirus and other microbes. Some of the more high-profile actions over the last year have targeted on-line sales of products (often imports) that are not registered with EPA to make antimicrobial claims, as required by the Federal Insecticide Fungicide and Rodenticide Act (FIFRA).

In a January 2021 update to a COVID-related compliance advisory first issued in May 2020, EPA reiterated its aggressive enforcement stance, with an emphasis on internet product sales:

“EPA is receiving a steady stream of tips/complaints concerning potentially false or misleading claims, including efficacy claims, associated with pesticides and devices. These tips and complaints are being actively reviewed and efforts are being made to identify violative products. EPA intends to pursue enforcement against products making false and misleading claims regarding their efficacy against the coronavirus. EPA is particularly concerned with pesticide and pesticide device products sold online on e-commerce platforms that are fraudulent, counterfeit, and/or otherwise ineffective. EPA is also coordinating with the U.S. Department of Justice, U.S. Customs and Border Protection, and other federal partners to bring the full force of the law against those selling or otherwise distributing violative products.”

The updated EPA advisory also highlights agency concerns with products improperly claiming long-lasting anti-viral effects (so-called “residual claims” that a product “provides an ongoing antimicrobial effect beyond the initial time of application, ranging from days to weeks to months”). Such claims only are allowed if approved by EPA and “supported by acceptable studies demonstrating satisfactory residual efficacy,” consistent with agency guidance issued in October 2020.

EPA’s updated advisory also expands on, and somewhat shifts, the agency’s discussion of pesticide “devices” (e.g., UV lights, ozone generators, and other instruments that use physical or mechanical means to control pests, including viruses and other germs) that claim to kill the coronavirus. Unlike chemical pesticides, devices are not required to be registered by EPA and, therefore, are not scrutinized by the agency to ensure they are safe to use or work as intended. [Note that devices must meet other EPA requirements, including being labeled with an “EPA Establishment Number” to identify the facility at which the device was produced, and not being marketed with “false or misleading” claims.] While EPA does not review efficacy data for these products, manufacturers must have on file adequate substantiation for the claims they make. Interestingly, the May 2020 advisory noted that “devices may not be able to make claims against coronavirus where devices have not been tested for efficacy or safety for use against the virus causing COVID-19 or harder-to-kill viruses.” This language has been replaced in the January 2021 advisory with a more general reminder that

“[M]aking false or misleading labeling claims about the safety or efficacy of a pesticidal devices is prohibited and could result in the issuance of a Stop Sale, Use, or Removal Order and penalties ….”

In addition, on the litigation front, EPA continues to fight two novel challenges to the scope of the agency’s enforcement authority. In the first case (Zuru LLC v. EPA), filed in September, the company is challenging EPA’s determination that its cleaning wipes are an unregistered pesticide, and blocking its importation, because the wipes contain an active ingredient found in a number of other EPA-registered disinfectants; of website statements made by third party resellers that the wipes are “disinfectants” and “kill germs”; and the product name “‘Bactive’ implies bacterial fighting properties.”

The second case, Tzumi Innovations v. EPA, filed in December, similarly involves objections to EPA’s designation of the company’s hand wipes (typically for use on the human body and an FDA-regulated product) as an unregistered pesticide and a threatened Stop Sale, Use, Or Removal Order (SSURO). EPA filed a new brief in that case on February 3 asserting that the matter is not ripe for review and, substantively, that the wipes are properly considered pesticides because they are being marketed for use on surfaces.

Both challenges provide a reminder of the extensive scope of EPA’s FIFRA authority, including over products that do not explicitly make antimicrobial claims, but imply such effectiveness through other statements or based on the presence of certain active ingredients. For a more detailed discussion, see my prior blog post.

A copy of EPA’s updated COVID Compliance Advisory “What You Need to Know Regarding Products Making Claims to Kill the Coronavirus Causing COVID-19″ is available here.

For much of the past few years, the FTC has been at the center of vigorous debates about the exercise of its competition and consumer protection authority, with issues such as consumer privacy and potential antitrust enforcement against internet platforms dominating much of the agency’s agenda. Although it is too early to assess how the FTC’s substantive priorities might change under new leadership, a look at the Commission’s structure provides some clues about the levers that a Biden-appointed Chair will be able to use to set the FTC’s direction. This post examines some of the key elements of that structure.

Vacancies and Party Balance

The first question is whether and when President Biden will be able to put the FTC under Democratic control. The FTC Act provides that no more than three Commissioners can be of the same political party. Currently, three Republicans and two Democrats lead the FTC, with Joe Simons, a Republican, serving as Chairman. President Trump appointed all five members of the current Commission; they were confirmed by the Senate and sworn in in 2018, resulting in the most rapid turnover in the FTC’s membership since its establishment in 1914.

The Biden Administration is likely to have fewer vacancies to fill initially. The Commissioners serve staggered seven-year terms, meaning that the terms don’t all expire at once. (See the table below for details.) Only Commissioner Rohit Chopra’s term has expired; he could be re-nominated or may continue to serve until a successor is confirmed. If Chairman Simons resigns, as is common upon a change in party control of the White House, the Biden Administration would be able to appoint a third Democrat. If other Commissioners resign before completing their terms, their successors would serve for the remainder of their predecessor’s original term.

Commissioner	Political Party	Term Dates
Joseph J. Simons (Chairman)	Republican	05/01/2018-09/25/2024
Rebecca Kelly Slaughter	Democrat	05/02/2018-09/25/2022
Noah Joshua Phillips	Republican	05/02/2018-09/25/2023
Christine S. Wilson	Republican	09/25/2018-09/25/2025
Rohit Chopra	Democrat	05/02/2018-09/25/2019

Even if Chairman Simons does not resign, the new President may replace him as Chairman. A new Chairman would have significant leeway to set the FTC’s priorities, starting with the ability to appoint new directors for the FTC’s three Bureaus: Consumer Protection, Competition, and Economics. The Bureau Directors, in turn, would be able to effectuate the new Chair’s priorities in their respective Bureaus through case selection and the development of regulatory and policy proposals. The Chair also has the ability to appoint a handful of other positions, such as the General Counsel, though these officials play a less influential role in setting enforcement and regulatory priorities.

The FTC Chair’s Levers and Limitations

At this point, it would be pure speculation to identify likely candidates for FTC Chair or the Directors of the Bureaus of Consumer Protection and Competition. One thing to note – given the way the Commission is viewing conflicts of interest in recent years, it is much less likely that these positions will be filled by attorneys in private practice. The Commission will impute a Firm’s entire client list to the candidate, creating a potential lengthy list of conflicts that could force a Commissioner or Directors to have to recuse themselves on important enforcement and policy issues. We saw this when Andrew Smith was proposed as Bureau Director, leading to a contentious debate at the Commission, with both Democrats voting against Mr. Smith.

Regardless, a Democratic Chair would face limitations in his or her ability to realize new enforcement or policy objectives. A majority of the Commissioners must vote in favor of any significant agency action, such as proposing or issuing rules, filing complaints, and accepting settlements. Furthermore, if Chairman Simons departs from the Commission, the Senate could be slow to confirm a fifth Commissioner. In the meantime, the Commission would be evenly split between Democrats and Republicans, creating the potential for a stalemate which could delay any significant agency action.

The FTC is likely to undergo significant changes in a Democratic administration. Still, like most things in a new administration, its effects will take time to unfold. We will continue to closely monitor developments during the transition and beyond.