Photo of Sheila A. MillarPhoto of Tracy P. Marshall

In the absence of a comprehensive U.S. federal privacy law, three states – California, Virginia, and Colorado – have enacted comprehensive privacy laws as of this year. The California Consumer Privacy Act (CCPA) is in effect now, and the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA) will take effect in 2023. To help businesses plan for compliance, Keller and Heckman LLP has created a side-by-side comparison of some of the key provisions of each law, along with an overview of some of the federal privacy bills introduced in 2021. Click here to read the full article.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

“Dark patterns” – user interfaces that are designed, intentionally or unintentionally, to influence user decision making – have been increasingly on the Federal Trade Commission’s (FTC or Commission) radar. As we previously reported, the FTC held a workshop earlier this year to examine, among other things, how dark patterns affect online user behavior and whether additional rules, standards, or enforcement efforts are needed to protect consumers. Recently, negative option marketing, a common marketing method used by companies that includes automatic renewals, continuity plans, free-to-pay or fee-to-pay conversions, and prenotification plans, came under scrutiny after the FTC received thousands of complaints from consumers. In response, on October 28, 2021, the FTC announced a new Enforcement Policy Statement Regarding Negative Option Marketing (Enforcement Policy Statement or Statement) which makes clear that if negative option offers are made deceptively or misleadingly, they can expose offending businesses to enforcement actions including civil penalties.

The FTC describes negative option marketing as “an offer that contains a term or condition under which the seller may interpret a consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement as acceptance or continuing acceptance of the offer.” Negative option marketing schemes are commonplace and, as the FTC notes, can offer benefits to both consumers and businesses. However, the Commission warns that companies using unfair or deceptive negative option practices are “a persistent source of consumer harm, often saddling shoppers with recurring payments for products and services they did not intend to purchase or did not want to continue to purchase.” The Commission reminds businesses of their obligations under the laws that govern online sales, principally Section 5 of the FTC Act, but also the Restore Online Shoppers’ Confidence Act (ROSCA), the Telemarketing Sales Rule, the Use of Prenotification Negative Plans Rule, the Postal Reorganization Act, and the Electronic Funds Transfer Act.

To provide businesses with a roadmap for compliance with the various statutes and rules, the Enforcement Policy Statement builds on previous FTC guidance and focuses on three principal areas: disclosure; consent; and cancellation.

Disclosure: Businesses are advised to disclose, clearly and conspicuously, all material terms of an offer, including:

  • Any express or implied claims;
  • Any material terms related to the product or service that are necessary
    to prevent deception, regardless of whether those terms directly relate to the terms
    of the negative option offer;
  • Charges for the product or service, or that charges will increase after their trial period ends, and, if applicable, that charges recur unless the consumer takes appropriate steps to stop them;
  • Each deadline by which the consumer must act to stop the charges;
  • The amount or range of costs the consumer will be charged or billed and the frequency of charges;
  • The date(s) each charge will be submitted for payment; and
  • All information necessary to cancel the contract.

The Statement also offers advice on how to ensure that negative option offers meet the FTC’s expectations for “clear and conspicuous” disclosures.

Consent: Marketers must obtain a consumer’s express consent. The Statement offers the following guidance:

  • The negative option seller must obtain a consumer’s unambiguously affirmative consent to the negative option offer and must accept it separately from the rest of the transaction;
  • The seller must not include any information that interferes with, detracts from, contradicts, or otherwise undermines the ability of consumers to provide their express informed consent to the negative option feature;
  • The seller must obtain a consumer’s unambiguously affirmative consent to the entire transaction; and
  • The seller must be able to verify consent.

Cancellation: Cancellation processes should be easy for consumers. Negative option sellers must provide a simple, reasonable, and effective means for consumers to cancel their contracts. The Statement advises companies to ensure that:

  • Cancellation mechanisms are at least as easy to use as the method a
    consumer used to initiate the negative option feature;
  • Cancellation mechanisms are made available through the same medium as the negative option offer; and
  • Cancellation requests that comply with the company’s procedures will be honored, and the company will not interfere with the effectiveness of its cancellation processes.

The Commission approved the Enforcement Policy Statement by a 3-1 vote. Commissioner Christine S. Wilson voted no and issued a dissenting statement objecting to guidance being issued during an open rulemaking on the topics covered in the Enforcement Policy Statement. While expressing general support for the guidance itself, her objection was grounded in concerns that issuance of the guidance appeared to “short-circuit” the ongoing rulemaking. Commissioner Noah J. Phillips voted yes and issued a concurring statement applauding the Enforcement Policy Statement as a helpful framework to explain the FTC’s expectations of businesses engaging in negative option marketing offers. He pointed out that negative option marketing rulemaking implicates the Magnuson Moss Warranty-Federal Trade Commission Improvements Act, and that “even though the Commission has begun this process, this kind of rulemaking sensibly includes regulatory guardrails that have certain timing constraints and could require the consumption of substantial agency resources. The policy statement provides immediate guidance to industry, without the wait.”

Negative option sales and techniques are only one example of how the FTC’s larger interest in so-called “dark patterns” might come into play in practice. Businesses that advertise negative option offers should familiarize themselves with the latest Enforcement Policy Statement. If done right, negative marketing offers should provide the necessary convenience and clarity to consumers, reduce customer acquisition costs, and increase sales.

Photo of Sheila A. MillarPhoto of Mike Gentine

Richard Trumka, Jr., nominated by President Biden for a seat on the U.S. Consumer Product Safety Commission (CPSC), was confirmed Tuesday evening, November 16, 2021, by a unanimous voice vote in the Senate. When he takes his oath of office, which will likely be within a week or two, Trumka will take the seat of fellow Democrat and former Acting Chair Bob Adler, whose term expired October 27 (though he could have held over up to a year or until Trumka was confirmed).

Trumka, son of the late labor leader Richard Trumka, Sr., served as General Counsel & Staff Director of the Economic and Consumer Policy Subcommittee of the U.S. House of Representatives’ Committee on Oversight and Government Reform. Adler has been associated with CPSC since its creation, having served as a staffer to two Commissioners in the 1970s, and he has served two terms in that office himself, joining the Commission in 2009.

Trumka’s arrival will still leave the Commission one short of its full five-member complement and at a 2-2 party count. Mary Boyle, currently the agency’s Executive Director but nominated for the vacant seat on the body, has not yet been voted out of the Senate Commerce Committee. With less than three weeks left on the current Senate calendar, it is unclear if time remains for Boyle to clear both the committee and the Senate floor. If she does not, her nomination would be returned to the White House as the 117th Congress concludes its first session at the end of the year. At that point, President Biden may renominate her or may choose to go in a different direction.

If Boyle is ultimately confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) 2027
Richard Trumka, Jr. (D) 2028

 

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The newly established California Privacy Protection Agency (the Agency) is soliciting public comments on a number of issues, as required by the California Privacy Rights Act (CPRA) that was passed by ballot initiative in November 2020. CPRA expands the rights afforded to California residents and the obligations imposed on businesses under the California Consumer Privacy Act (CCPA) and directs the Agency to adopt rules to address CPRA’s new provisions. The Agency’s Notice of Invitation for Preliminary Comments, published on September 22, 2021, stresses that the request is not part of a proposed rulemaking but rather is a preliminary step, as public input “will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.”

Comments are due November 8, 2021. Stakeholders can submit comments on any aspects of the CCPA, but the Agency is particularly interested in feedback on the following:

Processing that presents a significant risk to consumers’ privacy or security: cybersecurity audits and risk assessments performed by businesses. The Agency’s questions are directed primarily at what cybersecurity audits and risk assessments performed by businesses should cover, what steps businesses should take, and the consequences if a business determines that the risks of processing a consumer’s privacy outweigh the benefits to the business.

Automated decision-making. CPRA confers rights to consumers beyond those adopted under the CCPA. CPRA requires the Agency to adopt regulations governing consumers’ access to information about a business’ use of automated decision-making technology or profiling and consumers’ right to opt-out. The Agency seeks comments on what activities should be deemed automated decision-making technology or profiling, the extent of a consumer’s opt-out rights, and what information businesses should provide to consumers in response to an access request.

Audits of CCPA compliance. CPRA authorizes the Agency to audit business’ compliance with the CCPA. Feedback is sought regarding the scope of the Agency’s audit authority, the processes it should follow, and the safeguards it should employ to protect consumers’ personal information from disclosure to an auditor.

Consumer right to correct personal information. CPRA requires additional rulemaking on a consumer’s right to correct the personal information a business has collected, which is in addition to existing rights to know what personal information has been collected and to delete personal information. The Agency asks what changes or new rules and procedures should be adopted to allow consumers to request corrections of personal information, how often and under what circumstances consumers should be allowed to request correction, and what steps a business should take in response.

Consumer rights to limit the use and disclosure of sensitive personal information. The Agency seeks input on what rules and procedures should be established to allow consumers to limit use of their sensitive personal information and how businesses should establish that a consumer is under 13 or between 13 and 16.

Information to be provided in response to a consumer’s request to know. CPRA generally requires that responses to a consumer request cover the 12 months prior to the request, but as of January 1, 2022, consumers may request information beyond the 12-month window. Businesses must comply unless it is impossible or disproportionately difficult. The Agency asks for input on what standard a business should apply in making such a determination.

Definitions and categories. The Agency also welcomes comments on what updates or additions, if any, should be made to the categories of “personal information” under CCPA, particularly to the categories of “sensitive personal information,” “deidentified,” and/or “unique identifier.”

While the request for comments is a preliminary step, it may prove especially helpful for affected businesses to offer practical perspectives on compliance implications as well as on the costs and benefits of different options. Public comments received will be posted on the Agency’s website. The Agency will invite additional public feedback on any proposed regulations or modifications once it publishes a notice of proposed rulemaking.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Following the U.S. Supreme Court’s April 22, 2021 decision in AMG Capital Management, LLC v. Federal Trade Commission, which put the brakes on the ability of the Federal Trade Commission (FTC or Commission) to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the Commission has sought another route to possibly recover civil penalties: it revived the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act (45 U.S.C. § 45(m)(1)(B)). Section 5(m)(1)(B) allows the Commission to pursue civil penalties in federal court if it satisfies two requirements. First, the FTC must prove that a company knew its conduct violated the FTC Act. To establish actual knowledge, the Commission sends a business a Notice of Penalty Offenses (also referred to as a “Section 205 Synopsis”) that outlines conduct the FTC has determined violates the FTC Act. Second, the FTC must have issued a previous administrative order (other than a consent order) that determined certain specific conduct was unfair or deceptive. If, after receiving notice, a business engages in practices deemed violative, the FTC can pursue civil penalties of up to $43,792 per violation in federal court.

The FTC has flexed this new muscle twice in the past week, sending a Notice of Penalty Offenses to more than 700 businesses regarding fake reviews and misleading endorsements and a Notice of Penalty Offenses to 70 for-profit higher educational organizations in respect of false promises made about graduates’ job and earnings prospects. Notably, while other FTC policy statements and initiatives have garnered dissents, the Commission voted 5-0 to authorize and distribute the notices.

Penalty Offenses Concerning Education. The FTC’s Notices of Penalty Offenses to the educational organizations warned them not to misrepresent, directly or indirectly, the employment prospects of graduates, the demand for particular coursework, a graduate’s potential remuneration, and the extent of the institution’s job placement assistance program. In an accompanying letter, the FTC warned the companies that failure to cease deceptive conduct could result in significant fines. The notices state that receipt of the letter does not reflect an assessment that the recipient has engaged in conduct that might be deemed deceptive or unfair. Rather, it includes the following statement:

Receipt of this Notice puts your company on notice that engaging in conduct described therein could subject the company to civil penalties of up to $43,792 per violation. See 15 U.S.C. § 45(m)(1)(B).

In late 2020, Commissioner Rohit Chopra and FTC attorney Samuel Levine (now Director of the FTC’s Bureau of Consumer Protection) jointly published an article in which they advocated for the FTC to restore its Penalty Offense Authority, which the Commission ceased using in the 1980s. Chopra and Levine argued the Commission could “substantially increase deterrence and reduce litigation risk by noticing whole industries of Penalty Offenses, exposing violators to significant civil penalties, while helping to ensure fairness for honest firms.” While the FTC has gone after for-profit educational organizations for deceptive practices multiple times, this is the first time it has issued Section 5(m)(1)(B) notices to do so.

The FTC created a webpage listing the educational organizations that received Notices, a sample Notice and letter, and links to the administrative orders cited in the Notice (which date from 1980, 1971, and 1952).

Penalty Offenses Concerning Endorsements. The FTC sent another, even larger, batch of Notices of Penalty Offenses on October 13, this time to over 700 companies in diverse industries. The Commission warned the companies that certain conduct related to the use of endorsers and testimonials, such as misrepresenting that an endorser is an actual or recent customer, misrepresenting that an endorsement represents the experience or opinions of ordinary customers, or using an endorsement to make deceptive performance claims, violates Section 5 of the FTC Act. The Commission informed the companies they are on notice that engaging in prohibited conduct could subject them to civil penalties of up to $43,792 per violation.

As with the Notice of Penalty Offenses directed to for-profit educational institutions, the Penalty Offenses Concerning Endorsements website lists the cases the FTC relied on, which date between 1941 – 1984, and includes a sample Notice and letter and a list of recipients.

Many companies have internal policies governing endorsements and testimonials, but the FTC’s recent actions emphasize the importance of reviewing those policies to make sure they are up to date or implementing internal policies if they are not already in place.

Photo of Sheila A. MillarPhoto of Jean-Cyril WalkerPhoto of Anushka N. Rahman

On October 5, 2021, California Governor Gavin Newsom signed a package of environmental legislation into law, including two bills aimed at environmental marketing claims. SB 343, Truth in Labeling for Recyclable Materials, which we previously wrote about here, will significantly affect how recyclability claims can be made. Under AB 1201, compostable and degradable claim restrictions, which previously existed only for plastic products, will apply to all products.

SB 343: Recyclable, recycled content and use of the chasing arrows symbol. SB 343 is designed to restrict recyclability claims for both plastic and non-plastic products and packaging in the state, potentially as early as January 1, 2024, with some exceptions or defenses. The bill declares use of the chasing arrows symbol, the arrow design surrounding the plastic resin identification code (RIC) (which does not incorporate the Mobius loop design), or any other symbol or statement indicating recyclability, to be deceptive or misleading unless the product or packaging is considered recyclable pursuant to statewide recyclability criteria set out in the bill. Equally importantly, the law builds on previously existing requirements under Cal. Bus. & Prof. Code § 17580 that anyone representing in labeling or advertising that a product is not harmful or is beneficial to the environment must document and maintain written records supporting the validity of the representation. While these requirements previously applied to broad environmental claims such as “earth friendly” and “green product,” and while all non-puffery marketing claims should be substantiated, companies do not always maintain a substantiation file with all of the information required under Cal. Bus. & Prof. Code § 17580. By extending the documentation requirements to recyclable claims, the new law may make recyclable claims more difficult and put a larger spotlight on other claims.

A significant issue with the law is that it appears to be in conflict with both guidance from global self-regulatory bodies and the U.S. Federal Trade Commission’s (FTC) Guides for the Use of Environmental Marketing Claims (“Green Guides”). The Green Guides specifically address the use of the RIC, which is required by law in 39 states, noting that inconspicuous use of the RIC (for example, molded into the bottom of a rigid plastic container) does not constitute an unqualified recyclable claim. Conversely, a prominent depiction of the RIC, including in conjunction with a “recyclable” claim, would have to be qualified if the product made of the referenced plastic resin does not meet the criteria for an unqualified recyclable claim under the FTC’s existing guidance. Adding to the confusion, SB 343 recognizes compliance with the Guides for some claims as an affirmative defense.

An ASTM committee now oversees the RIC and recommends a solid triangle design. While state laws still reference the original RIC design with the arrow, it seems unlikely that adopting the solid triangle design would generate enforcement attention by state regulators.

Notably, the law’s restrictions on use of the chasing arrow symbol may affect not only the RIC, but also use of the Mobius loop to convey recycled content. The Green Guides already suggest qualifiers to convey recycled content and recyclable messaging, so using the Mobius loop’s chasing arrows to denote recycled material with an express statement of the percentage involved should not be a violation.

AB 1201: Compostable and degradable claims for products. Previously existing California law included some specific restrictions on the sale of plastic products advertised as compostable and degradable. The requirements were updated only a year ago to, among other changes, remove a reference to a test method for marine degradability, as we noted previously. AB 1201 replaces the term “plastic product” in California’s law restricting compostable and degradable claims and replaces it with “product,” giving the law broader reach. A “product” is defined to include, but is not limited to:

  • A consumer product;
  • A package or a packaging component;
  • A bag, sack, wrap, or other thin plastic sheet film product; and
  • A food or beverage container or a container component, including, but not limited to, a straw, lid, or utensil.

Fiber products that do not contain any plastics or polymers are exempt from the requirement to comply with an applicable standard specification; the legislation does not appear to distinguish between traditional plastics and bioplastics. The law does not change the requirement that biodegradable claims must meet a standard specified by the state, but the latest iteration still does not adopt a reference standard to determine degradability in soil, various landfill or marine conditions. Thus, AB 1201 effectively extends the prior practical ban on degradability claims for plastics to all products that meet the relevant definitions. Some national marketers that meet FTC criteria for degradability claims may include statements explaining that the product is not considered degradable in California.

AB 1201 also tightens requirements for a product labeled “compostable” or “home compostable,” which must:

  • Be certified as meeting the applicable standard specification by an approved third-party certification entity. This requirement will apply after January 1, 2024, if an approved third-party certification entity has existed for at least one year prior to the product being sold or offered for sale;
  • After January 1, 2026 (unless conditions for an extension apply), be “an allowable agricultural organic input under the requirements of the United States Department of Agriculture National Organic Program,” unless California’s Department of Resources Recycling and Recovery (“CalRecycle”) determines that it is possible to recover organic waste for use in agricultural applications from the collection of products that are not suitable for such application. In such case, products that are not collected for the purpose of recovering waste for agricultural applications are not subject to this requirement;
  • Not exceed 100 parts per million of total organic fluorine;
  • Be labeled to distinguish the product from a non-compostable product; and
  • Be “designed to be associated with the recovery of desirable organic wastes” unless CalRecycle determines that it is possible to recover organic waste for use in agricultural applications from the collection of products that are not suitable for such application.

This is the first example of a law that mandates third-party certification of an environmental claim or to legislatively incorporate chemical restrictions when making such a claim.

While it remains to be seen how the state will enforce these new legislative requirements, opponents have raised concerns. For example, it is feared that the restrictions in SB 343 will suppress recycling rates and actually result in more waste. The possibility of a First Amendment challenge exists for both laws, and SB 343’s restriction on importing a product into the state that does not comply also raises questions about whether such restriction is an unconstitutional burden on interstate commerce. Assuring that all claims, including environmental claims, are truthful and non-deceptive is a core value for responsible businesses, but national guidance, through instruments like the FTC Green Guides (which are slated for review in 2022), not a proliferation of conflicting state laws, are better for consumers and businesses alike.

Photo of Sheila A. MillarPhoto of Mike Gentine

Alexander Hoehn-Saric, nominated by President Biden for both a seat on the U.S. Consumer Product Safety Commission (CPSC) and the chairmanship of that body, was confirmed late Thursday night by a unanimous voice vote. When he takes his oath of office, Hoehn-Saric will be CPSC’s first permanent chair in more than four years.

Fellow Democrat and current Acting Chair Bob Adler’s term expires October 27, but he can hold over for up to a year or until his nominated replacement, Richard Trumka, Jr., is confirmed. Trumka’s nomination cleared the Senate Commerce, Science, and Transportation Committee and is available for a floor vote, but it’s not clear when that will occur (Hoehn-Saric’s vote came without prior notice, so Trumka’s could likewise happen suddenly). Mary Boyle, currently the agency’s Executive Director and a longtime CPSC staffer, has also been nominated for a currently vacant seat, but her nomination has not yet cleared the Senate Commerce Committee.

Republican Commissioners Dana Baiocco and Peter Feldman last week collaborated to use their then-majority to significantly amend the Fiscal Year 2022 Operating Plan. It’s not clear if this maneuver, which brought fierce dissent from Adler and drew the attention of both Republicans and Democrats on the Hill, spurred Hoehn-Saric’s confirmation, but for the time being the Commission will operate with two Republicans and two Democrats when he takes the chairmanship.

Photo of Sheila A. MillarPhoto of Mike Gentine

The U.S. Consumer Product Safety Commission (CPSC) has approved its Operating Plan (Op Plan) for the 2022 Fiscal Year (FY 22) that begins October 1, 2021, according to a joint statement from its two Republican members, Dana Baiocco and Peter Feldman. The Op Plan is the central governing document for CPSC, outlining the projects and priorities the agency will focus on through a fiscal year. It identifies the objectives for every agency office, the rules and standards the agency intends to issue or advance, and the resources the agency is committing to its many activities.

As outlined in the joint statement, the approved FY 22 Op Plan:

  • Increases CPSC’s presence at the nation’s ports by adding 27 new inspectors;
  • Adds resources to the Field Operations team within CPSC’s Office of Compliance;
  • Reinstates the specialized Children’s Product Defect Team within Compliance;
  • Expands the agency’s laboratory facilities;
  • Directs CPSC staff to pursue mandatory rulemaking regarding “Support Pillows and Nursing Support Products;”
  • Increases the budget of the Office of Communications by nearly 25 percent; and
  • Works to address data security recommendations of the CPSC Inspector General (IG), including those the IG made in response to the massive unauthorized disclosure of sensitive company and consumer data the agency revealed in 2019.

However, the approval of the FY 22 Op Plan is not without controversy. As the joint statement notes, the Commission voted 2-1 to approve the plan. A separate statement by Acting Chairman Robert Adler, notes that the approved plan reflects “over 50 amendments [Baiocco and Feldman offered] with no advance notice” in what Adler describes as “Government by Ambush.” Later, CPSC’s Secretary released the Record of Commission Action (RCA) for the vote – the official document stating the outcome of the decision – stating that “[U]pon request for review by the Acting Chairman, the Acting General Counsel determined that the vote . . . is null and void because the Decision Making Procedures were not followed.” Adler subsequently issued a further statement, highlighting the RCA and raising both procedural and substantive objections.

As the basis of the Acting General Counsel’s position was not reflected in the RCA, and the Decision Making Procedures are a “For Official Use Only” internal document, there are two possible options. If the Acting General Counsel’s determination is based on procedural and not substantive concerns, a vote could presumably be re-taken in accordance with the Decision Making Procedures. If the basis of the determination is both substantive and procedural, CPSC would be left without an Op Plan until some consensus emerges.

As of this writing, it is not clear what legal effect the 2-1 vote to approve the plan has, if any, or whether CPSC actually has a plan for its 2022 Fiscal year. Assuming the vote stands (if, for example, Baiocco and Feldman vote to overrule the Acting General Counsel), the Baiocco and Feldman amendments address a variety of subjects. Many are institutional topics, such as a direction to the agency to adopt the Inspector General’s (IG’s) recommendations along with provisions to strictly limit CPSC’s ability to use paid spokespersons or influencers, to ban all CPSC staff from using TikTok on any CPSC-issued device, and to prohibit the agency from distributing any of its messaging through the app (presumably based on security concerns). Some amendments narrow, expand, or shift CPSC’s FY 22 safety priorities. Among these is a direction to the Office of Import Surveillance to place more emphasis on high-volume ports instead of the greater focus on de minimis (e.g., direct-to-consumer) imports that the staff draft Op Plan had proposed. Commissioners Baiocco and Feldman describe this alignment as “consistent with . . . Congressional mandates.”

Of note to manufacturers of e-cigarettes, the amended Op Plan directs staff “to increase enforcement activity of the Child Nicotine Poisoning Prevention Act [CNPPA] . . . including removal of noncompliant liquid nicotine containers from commerce.” Field agents have already prioritized CNPPA compliance, generally focused on removal and destruction of non-compliant inventory from retail and distribution outlets. To date, consumer-level recalls have not been conducted.

The internal disagreement over the Op Plan is another sign of an agency in flux. As Adler’s statement notes, three Democratic nominees await confirmation by the Senate. However, only two of those three – Alexander Hoehn-Saric, nominated for Chairman, and Richard Trumka, Jr. – have cleared the Commerce Committee. The Committee vote on the third nominee, current CPSC Executive Director Mary Boyle, was pulled from the agenda of the most recent hearing. As Trumka is nominated for the seat Adler currently holds, if he and Hoehn-Saric are confirmed but Boyle is not, CPSC would face a 2-2 party split, albeit with a confirmed chair for the first time in more than four years. Regardless, the business community wants and needs an effective, fair, and appropriately focused national product safety agency, so will need to continue to monitor CPSC developments closely.

UPDATE:

The dispute over the purported procedural issues in the FY 22 Op Plan vote saw two remarkable developments after we posted this article.

First, Acting Chairman Adler’s assertion that the Acting General Counsel had – and even could – determine that the 2-1 vote that had passed the Op Plan as amended was “null and void” stirred the ire of Senator Roger Wicker (R-MS) Ranking Member of the Senate Committee on Commerce, Science & Transportation, which oversees CPSC. Urging Adler to reverse his course, Wicker wrote on September 29:

There is no way to interpret this action except as a brazen act of sabotage by an acting Chairman who found himself on the losing side of a vote. During my tenure as Ranking Member and formerly as Chairman of the Senate Commerce Committee . . . I have never seen a vote by the Senate-confirmed commissioners of an independent agency nullified by an Acting General Counsel.

The Commerce Committee Chair, Maria Cantwell (D- WA), has not weighed in on the dispute among the Commissioners.

Second, without further delay, the Commission voted on October 1  – again 2-1, with Adler in the minority –that “[t]he General Counsel has no authority . . . to nullify a vote of the Commission,” adding that, even if such authority existed, the vote approving the amended FY 22 Op Plan was proper and thus the plan, as amended, was approved on September 24, 2021.

At this writing, it is not clear if there will again be an effort to challenge this second vote.

Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Anushka N. Rahman

With millions of Internet of Things (IoT) devices from phones to smart home censors flooding the market every year, effective cybersecurity to help mitigate risks to devices is vital. New guidance from The National Institute of Standards and Technology (NIST), IoT Non-Technical Supporting Capability Core Baseline (NISTIR 8259B), is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

The guidance notes that “both device cybersecurity capabilities and non-technical supporting capabilities are vital to customers’ abilities to achieve their needs and goals.” While IoT devices are typically secured through technological capabilities, NISTIR 8259B focuses on the non-technical supporting capabilities that “that manufacturers or third parties take in support of the initial and ongoing security of IoT devices.” The guidance identifies four primary non-technical areas of cybersecurity:

  • Documentation, which ensures that customers and third parties have the information they need to ensure their device and its data are secure;
  • Information and query reception, which helps businesses respond to questions customers and others may have about a device’s security and operation;
  • Information dissemination, which ensures that customers are kept in the loop about any newly discovered security issues or device or related systems updates; and
  • Education and awareness, to assist customers and others in understanding how to secure and protect IoT software, hardware, and systems.

The guidance contains several tables that lay out detailed steps of common actions for organizations to consider taking and encourages organizations to add other non-technical capabilities where needed. NIST also updated its IoT catalog for device technical cybersecurity capabilities and supporting non-technical capabilities.

As IoT devices continue to rise in popularity, it is vital for manufacturers to ensure that their products come designed not only with effective cybersecurity technology but a plan for communicating with customers and third parties, keeping detailed records, and efficient methods for responding to questions. NISTIR 8259B gives organizations a helpful place to start, and this and other NIST guidance on IoT security may be relevant to the ongoing NIST cybersecurity labeling initiative.

 

Photo of Sheila A. MillarPhoto of Anushka N. Rahman

On August 31, 2021, the National Institute of Standards and Technology (NIST) released its draft white paper, DRAFT Baseline Security Criteria for Consumer IoT Devices. The draft white paper is in response to Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which requires NIST, in collaboration with other agencies, to educate the public on Internet-of-Things (IoT) security. The draft white paper proposes baseline security criteria for consumer IoT products as part of a cybersecurity labeling program and builds on NIST’s Secure Software Development Framework (SSDF) and other NIST documents. NIST is not establishing its own labeling program but instead seeks to identify minimum requirements for programs, which it must do by February 6, 2022.

NIST’s summary sets out the timelines and objectives, along with some general principles. Labeling should:

  • Encourage innovation in manufacturers’ IoT security efforts, leaving room for changes in technologies and the security landscape.
  • Be practical and not be burdensome to manufacturers and distributors.
  • Factor in usability as a key consideration.
  • Build on national and international experience.
  • Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.

The proposed labeling criteria set out in the draft white paper builds off of NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. NISTIR 8259B itself is new guidance released last month, and is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

NIST hosted an informative workshop on the proposed labeling criteria and related issues as previously announced on September 14–15. The workshop featured a variety of stakeholders, including representatives from federal agencies with experience in labeling programs, such as the Environmental Protection Agency (EPA), Federal Trade Commission (FTC) and Consumer Product Safety Commission (CPSC), as well as international experts. The workshop included discussions on how to define a “consumer,” what should be in scope for a labeling program, limits of a labeling program, and achieving global harmonization, among many other topics. Recurring themes included assuring that a cybersecurity label avoids conveying a false sense of security and the need to keep labels simple.

Comments on the draft white paper are due October 17, 2021, and can be submitted to labeling-eo@nist.gov. NIST has already received feedback on important details, which were discussed during the workshop. With the growth of IoT devices, an IoT labeling scheme will likely have significant impact on many industry sectors, so interested stakeholders may wish to consider submitting comments.