Consumer Protection Alert

President Nominates CPSC Executive Director Elliot Kaye to be Chairman 

President Obama announced yesterday his intent to nominate Elliot Kaye to be chairman of the U.S. Consumer Product Safety Commission.  Kaye currently serves as Executive Director, and previously as Chief of Staff for and Senior Counsel to Inez Tenenbaum.  Among Kaye’s key areas of focus at the agency have been efforts to improve youth helmet safety.  He also spearheaded the behind-the-scenes negotiations over the development of the agency’s public product hazard reporting database, SaferProducts.gov.  Before working at the agency, he worked as an attorney at a law firm in D.C. and as a senior aide in several congressional offices.

Kaye will join Intertek executive Joe Mohorovic, a former aide to Chairman Hal Stratton who was nominated to fill a vacant Republican seat last fall, in being considered by the Senate.  In recent years, Republican and Democratic nominees have been considered and confirmed together, making it likely that the same process will be followed here.  Given the Senate’s calendar and recent change in rules related to the consideration of most nominees, Kaye and Mohorovic’s nominations are likely to be voted on by the Senate before the fall.  Commissioner Bob Adler has served has Acting Chairman since Inez Tenenbaum stepped down last fall and is expected to remain in that role until Kaye is confirmed.  Adler’s term officially ends this coming October, but he may be nominated to a succeeding term and in any case can remain on the Commission for a holdover year unless a replacement is named and confirmed earlier.

The agency’s posture is not expected to change significantly if Kaye is confirmed.  That may change if Adler’s seat becomes vacant, which would leave the Commission divided between two Democrats and two Republicans as it was for most of 2012.

CPSC Holds Workshop on Potential Ways to Reduce Third Party Testing Costs

The CPSC will hold a workshop on April 3, 2014, to discuss ways to decrease third-party testing costs for products containing trace elements of lead and six phthalates found in children’s toys.  Under current regulations, companies manufacturing children’s toys subject to the Toy Standard (ATSM F963-11) are required to undergo third-party testing to ensure that the product does not contain lead in excess of 100 parts per million (ppm) or phthalates which exceed the maximum allowable limit of 0.1 percent (1000 ppm), as mandated by the Consumer Product Safety Improvement Act of 2008 (CPSIA).

In 2011, CPSC was tasked (see Public Law 112-28) with seeking “opportunities to reduce the cost of third party testing requirements consistent with assuring compliance with any applicable consumer product safety rule, ban, standard, or regulation.”  After seeking comments from the public on the subject (see here and here), the agency announced a workshop to continue discussions on the issue.  Among the questions to be discussed are:

• Is there a method for determining which products can be omitted from third-party testing requirements due to a high level of assurance that they will not exceed the maximum allowable limits for lead and phthalates?
• Are there materials that should always be required to undergo third-party testing?
• How should the CPSC evaluate new applications or methods of production to determine compliance with phthalate and lead limitations?
• What technical, practical, or implementation issues should CPSC consider when conducting its evaluation and making recommendations?

The workshop is being held at CPSC’s National Product Testing and Evaluation Center in Rockville, Maryland.  The agency previously made official determinations that several substances will not contain excess levels of lead (see 16 C.F.R. § 1500.91), but has been heavily criticized for failing to do more to reduce the high cost of third-party testing in recent years.  Those costs have spread around industry, burdening even businesses and industries not directly affected by the agency’s testing rule. 

FTC and California Argue That COPPA Does Not Restrict State Laws on Teenagers' Privacy

The Federal Trade Commission (FTC) and California Attorney General Kamala Harris filed separate briefs with the Ninth Circuit Court of Appeals arguing that the federal Children’s Online Privacy Protection Act (COPPA) did not block states from creating and enforcing their own laws that address teenagers’ privacy (see the FTC’s brief here and the California brief here.  The filings come in litigation over a contested settlement related to Facebook’s use of “sponsored stories,” advertisements that depicted brands’ content alongside the users’ names and profile photos.  Outside groups objected to the settlement by arguing that it would allow Facebook to use teenagers’ images in advertising without parental consent, which would allegedly violate California Civil Code § 3344 and other states’ laws.  Facebook argues that state laws regulating the use of teenagers’ personal information are preempted by COPPA.

It is important to note that in its revision of the COPPA Rule, the FTC determined that photos, videos, and audio files of children under 13 are per se personal information, a conclusion not mentioned in its brief and highly relevant to the preemption issue before the court.  A ruling that COPPA does not preempt state law, however, could mean more state laws governing teen privacy, and also undermine the ability of teen-directed branded websites to rely on standard terms and conditions of websites to collect data from teens – including uploaded user-generated content – without formal written parental consent.  The court’s ruling thus bears close watch.

Rockefeller Releases Report on Target Breach and Chairs Hearing on Cybersecurity

Senator Jay Rockefeller released a report detailing missed opportunities to improve security and vulnerable security methods which allegedly contributed to the data breach suffered by Target Inc.  The report is based on information from reports and expert witnesses related to the recent high-profile data beach.  The breach occurred during the 2013 holiday season when hackers installed malware on Target’s computer network that allowed them to siphon the information and payment-card data of as many as 110 million customers.  The information was removed from Target’s servers and routed to a server in Eastern Europe, after initially being rerouted to various servers within the United States.  Target publicly announced the breach December 19, 2013.  Since the announcement, bills addressing data breaches and cybersecurity have been introduced in Congress and several hearings have been held in an effort to promote improved data security measures.

Rockefeller, who introduced a data breach bill earlier this year, presented the Target analysis in an effort to continue discussions on data security.  The report was followed by a hearing this week that included representatives from Target and University of Maryland (UMD), which also suffered a recent data breach.  During the hearing, UMD’s president, Wallace Loh, highlighted the differences in data protection between the private sector and public institutions, with universities having to balance important considerations of open access and the free exchange of ideas with maintaining data security for sensitive personal information.  He also argued that the costs of data protection measures being discussed – and mandated responses to breaches, like offering free credit monitoring – “would bankrupt most universities.”  He called for a federal data breach law.

FTC Chairwoman Edith Ramirez also spoke at the hearing.  Saying “companies are underinvesting when it comes to data security,” she urged Congress to grant enforcement authority to the FTC.  Ramirez claimed that allowing FTC to seek civil penalties for data breach violations would serve as a deterrent and would ensure that companies protect consumers’ personal information.  Apart from possible federal and state enforcement actions, several lawsuits have already been filed against Target by putative classes and even financial institutions.  With the growing spotlight on data security, businesses need to check technical security measures, evaluate best practices, and monitor the political landscape for potential new requirements. 

For more information about privacy, data security, product safety, and other consumer protection–related issues, contact Sheila A. Millar at millar@khlaw.com or 202 434-4143; JC Walker at walker@khlaw.com or 202 434-4181; or Tracy P. Marshall at marshall@khlaw.com or 202 434-4234.