Courts Express Reluctance to Regulate Market Prices Via Consumer Protection Claims
By: Lindsey A. Lusk
Consumers seeking to hold companies accountable for differential pricing of allegedly materially identical products have recently faced push-back from several federal courts. In May 2021, two federal courts dismissed consumer-protection claims based on price differentials between such products.
In Schulte v. Conopco, et al., the Eighth Circuit affirmed the Missouri district court’s dismissal of a Missouri Merchandising Practices Act (MMPA) claim premised on allegedly discriminatory price differentials between women’s and men’s deodorant products (a so-called “pink tax” claim). 2021 WL1971957 at *1 (8th Cir. May 18, 2021). The appellate court held that the plaintiff failed to meet the plausibility pleading standard and was mistaking “gender-based marketing for gender discrimination.” Id. The court also noted that the plaintiff was “conflate[ing] marketing targeted to women with enforced point-of-sale pricing by gender,” and that the plaintiff’s choice not to purchase men’s antiperspirant “illustrates a difference in demand based on product preferences.” Id. Because “preference-based pricing is not necessarily an unfair practice,” the court held that the MMPA did not prohibit the defendants’ differential pricing.
Similarly, the Northern District of Illinois recently dismissed a claim based on the price differential between infant and children’s acetaminophen. In Harris v. Topco Associates, LLC, the plaintiff brought a putative class action alleging that the defendant “designed its [Infants’ Pain & Fever Acetaminophen and Children’s Pain & Fever Acetaminophen] to mislead parents into purchasing the infant medication at a higher cost,” despite the pharmacological identity of the two products. 2021 WL 1885981 (N.D. Ill. May 22, 2021). The court dismissed the plaintiff’s claim, finding that it was preempted by the federal Food, Drug, and Cosmetic Act (FDCA) because the plaintiff’s request for a disclosure on the label of the infant medication would impose an additional obligation not required by the FDCA. Id. *1.
Although decided on different grounds, the courts’ rejections of these types of claims suggest that courts may be hesitant to use consumer protection statutes to “regulate” pricing of materially similar yet differently-marketed products when those prices are otherwise set by consumer demand.
Analysis of Recent and Forthcoming State Legislation on Toxic Chemicals in Cosmetics and Personal Care Products and Preemptive Effects of Existing Federal Legislation
By: Matthew G. Lawson
According to a report released in February 2021 by the organization Safer States, at least 27 US states will consider proposed legislation to regulate toxic chemicals in 2021. While a large driver of the proposed state laws is growing public concern over drinking water contamination from “emerging contaminants,” including PFAS (per- and polyfluorinated alkyl substances) and 1,4-dioxane, a secondary focus has been to minimize the risk of adverse human health effects from exposure to these toxic chemicals in cosmetics and personal care products. Two states—New York and California—are spearheading these efforts through recently enacted laws to limit or prohibit certain toxic chemicals in cosmetics and personal care products that are set to take effect in 2022 and 2025, respectively. As other states consider their own bills to enact similar regulation of chemicals in cosmetics and personal care products, heightened attention will likely be paid to what extent the existing federal regulation of these products may preempt this new wave of state legislation.
Federal Regulation of Chemicals in Cosmetics and Personal Care Products
At the federal level, chemicals used in cosmetics and other personal care products are primarily regulated by either the Toxic Substrates Control Act (TSCA) or the Federal Food, Drug, and Cosmetic Act (FD&C Act). While TSCA broadly applies to any “chemical substance,” certain chemicals or uses of chemicals are exempt from TSCA if they are regulated by other federal statutes. Such products include “cosmetics” regulated by the FD&C Act, which are defined as “articles intended to be rubbed, poured, sprinkled, or sprayed on, introduced into, or otherwise applied to the human body...for cleansing, beautifying, promoting attractiveness, or altering the appearance.” While the distinction between a cosmetic and personal care product may not always be apparent to the consumer, the difference is crucial with respect to federal oversight of the chemicals contained in the product.
Non-cosmetic, personal care products are regulated under TSCA, as amended by the Frank R. Lautenberg Chemical Safety Act of the 21st Century, which requires the Environmental Protection Agency (EPA) to identify “high-priority chemicals” used in existing commerce and determine whether any current uses of the chemicals “present an unreasonable risk of injury to health or the environment.” Where an unreasonable risk is identified, the EPA has discretion to impose conditions on or outright ban the chemical use. Prior to introducing a new chemical or new use of an existing chemical into commerce, manufacturers are required to provide notice to the EPA so that the agency may assess whether the proposed chemical or use will pose an unreasonable risk. In contrast, chemicals used in cosmetic products are regulated by the Food and Drug Administration (FDA) pursuant to the FD&C Act and generally do not require registration or preapproval by the agency before being introduced into commerce. Moreover, the FDA does not have authority to require a recall where it identifies a potential health hazard in a cosmetic product. However, the FDA does have authority to regulate the labeling of cosmetic products and to outright ban specific ingredients from being used in cosmetics generally.
State Regulation of Chemicals in Cosmetics and Other Personal Care Products—Newly Enacted Laws and Anticipated Future Legislation
While the regulation of chemicals in cosmetic and personal care products has historically been left to the purview of the EPA and the FDA, in recent years a growing number of states have expressed interest in directly regulating chemicals in cosmetic and personal care products sold within their jurisdictions. In 2019 and 2020, state regulation of these chemicals took a significant step forward as New York and California signed into law two bills regulating chemicals used in cosmetic and/or personal care products. A brief description of both state laws is provided below.
New York: On December 9, 2019, Governor Cuomo signed into law New York Senate Bill 4389-B/A.6295-A, making New York the first and only state to set a maximum contaminant limit of 1,4-dioxane in consumer products. While there are no direct consumer uses of 1,4-dioxane, the compound may be present in cosmetics and personal care products as a byproduct of the manufacturing process (according to one 2007 Study, approximately 22% of cosmetic and other personal care products may contain 1,4-dioxane). New York’s legislation, which takes effect on December 31, 2022, prohibits the sale of personal care products containing more than 2 ppm of 1,4-dioxane and the sale of cosmetic products containing more than 10 ppm of 1,4-dioxane.
California: On September 30, 2020, Governor Newsom signed into law the Toxic-Free Cosmetics Act, California Assembly Bill 2762, banning 24 chemicals, including mercury, formaldehyde, and certain types of PFAS, from being used in cosmetic, beauty, and personal care products sold in California. California’s legislation is set to take effect in 2025 and will mark the first state-level prohibition on the various chemicals in cosmetic products.
In addition to New York and California’s recently enacted legislation, there are at least five bills currently being considered by various states that would further regulate chemicals in cosmetic and/or personal care products sold within the respective jurisdictions. A brief summary of these state bills is provided below:
Connecticut: SB 404—Prohibiting the sale or distribution of consumer products that contain PFAS (currently before the Joint Committee on Public Health).
Maryland: HB 0643—Prohibiting the sale or distribution of cosmetic products that contain PFAS, mercury, and other chemicals in certain instances (currently passed in both chambers and before the Governor).
New Jersey: A 189 / S 1843—Prohibiting the sale and distribution of nail salon products that contain dibutyl phthalates, toluene, or formaldehyde (currently before the Assembly Consumer Affairs Committee); A 1720—Prohibiting the sale of hand sanitizers and body cleaning products containing triclosan (currently before the Assembly Consumer Affairs Committee).
New York: A 143 / S 3331—Creating a list of “chemicals of concerns” known to exist in personal care products, requiring manufacturers of such products to disclose any chemicals of concerns contained in their products and prohibiting the sale of personal care products containing chemicals of concerns after three years (currently referred to Environmental Conservation Committee).
Federal Preemption of State Laws
As more states continue to adopt new legislation to regulate chemicals in cosmetic and personal care products, manufacturers and/or trade organizations will likely bring preemption challenges to these state regulations. In the context of cosmetic products, the FD&C Act prohibits state or local governments from enacting “any requirement for labeling or packaging of cosmetics that is different from or in addition to, or that is otherwise not identical with” the federal rules. Thus, state laws that do not directly regulate the labeling or packing of cosmetics products but instead regulate the contents of these products will likely not run afoul of the FD&C Act’s preemption clause.
In contrast, state legislation governing chemicals in personal care products may be at a higher risk of being preempted by TSCA. TSCA broadly prohibits the enforcement of any state chemical regulation of a particular substance once the EPA completes a risk evaluation for the substance and either: (1) determines that the chemical will not present an unreasonable risk; or (2) concludes that the chemical presents an unreasonable risk under the circumstances of use, and promulgates a rule that restricts manufacturing or use of the chemical to mitigate the identified risks. Notably, the scope of TSCA’s preemption extends only to chemical uses examined in the EPA’s risk evaluation—meaning that the EPA’s failure to examine the use of a chemical in personal care products would make state regulation fair game. In addition, even where a risk evaluation of a particular chemical has been completed, TSCA will not preempt state laws that (1) only impose reporting, monitoring, or information obligations; or (2) environmental laws that regulate air quality, water quality, or hazardous waste treatment or disposal.
Early insight into the full scope of TSCA’s preemption provisions will likely be provided by anticipated challenges to individual state’s regulation of 1,4-dioxane. As explained above, New York has already taken steps to regulate 1,4-dioxane in personal care products and other states may soon look to follow suit. However, on January 8, 2021, the EPA released its final risk evaluation for 1,4-dioxane under TSCA. See 86 Fed. Reg. 1495. The EPA’s initial risk evaluation identified a number of “use conditions” in which 1,4-dioxane posed an unreasonable risk to occupational workers, but did not consider “use conditions” involving 1,4-dioxane’s presence in consumer products. In response to protests from industry, EPA’s final risk evaluation included a supplemental analysis of eight use conditions for 1,4-dioxane as a byproduct in consumer goods, including use in hobby materials; automotive care products; cleaning and furniture care products; laundry and dishwashing products; paints and coatings; and spray polyurethane foam. No unreasonable risks for these consumer uses were identified. Because the EPA’s supplemental risk evaluation examined but did not find any unreasonable risks from 1,4-dioxane in consumer products, an argument could be made that states are preempted from enacting their own 1,4-dioxane limits in consumer products. However, because the EPA’s risk evaluation did not specifically exclude cosmetic or personal care products, individual states may be able to argue that the preemption scope is limited only to the specific uses of 1,4-dioxane that were specifically examined during EPA’s risk evaluation. The resolution of any challenges to New York and other states’ regulation of 1,4-dioxane in consumer products will likely provide key insights into the scope of TSCA’s preemption powers.
Federal Reserve Seeks Public Comment on Guidelines for Accepting Fintechs
By: Anthony L. Nguyen
The Federal Reserve is seeking public comment on proposed guidelines to regulate financial technology companies’ access to The Fed’s payment systems. The Fed has proposed guidelines to evaluate access requests from these “novel types of banking charters” with a “transparent and consistent process.”
According to Federal Reserve Board Governor Lael Brainard, the proposed guidelines intend to promote “a safe, efficient, inclusive, and innovative payment system, consumer protection, and the safety and soundness of the banking system."
Public comments will be accepted for 60 days after publication in the Federal Register.
FTC Asks Congress: Restore Our Power to Protect Consumers
By: Anthony L. Nguyen and Jeremy M. Creelan
On April 27, 2021, the Federal Trade Commission (FTC) testified before the Subcommittee on Consumer Protection and Commerce to support proposed legislation that would revive FTC’s ability to seek restitution and disgorgement on behalf of consumers harmed by violations of the FTC Act.
From the 1980s until recently, the FTC took the position that Section 13(b) of the FTC Act, which permits injunctive relief, also authorized it to seek restitution, disgorgement, and other equitable monetary relief. FTC Testimony at 2. The FTC used Section 13(b) to reclaim and refund billions of dollars on behalf of consumers in various types of cases, including telemarketing, fraud, anticompetitive pharmaceutical practices, data security and privacy, scams that target seniors and veterans, deceptive business practices, and COVID-related scams. Id. at 1.
Rebecca Kelly Slaughter, acting Chairwoman of the FTC, testified that “the Supreme Court ruled that courts can no longer award refunds to consumers in FTC cases brought under 13(b), reversing four decades of case law that the Commission has used to provide billions of dollars of refunds to harmed consumers.” Id. She testified that in AMG Capital Management, LLC v. FTC, the Supreme Court “held that equitable monetary relief such as restitution or disgorgement is not authorized by the text of Section 13(b).” Id. at 3. She also noted that other appellate courts had reached similar conclusions. For example, she noted that the Seventh Circuit had held that “the word ‘injunction’ in the statute allows only behavioral restrictions and not monetary remedies.” Id. (citing FTC v. Credit Bureau Center, LLC, 937 F.3d 764 (7th Cir. 2019)). And she noted that the Third Circuit had reversed an award of “$448 million meant to repay overcharged consumers” because it found that the order exceeded the authority provided by the FTC Act. Id. (citing FTC v. AbbVie Inc., 976 F.3d 327 (3d Cir. 2020)).
Slaughter also testified that other court rulings held that the FTC “cannot seek injunctive relief under 13(b) in cases where the unlawful conduct is no longer occurring, even if there is a reasonable likelihood that it will re-occur.” Id. at 1. She testified that the Third Circuit held the FTC may only bring enforcement actions under Section 13(b) “when a violation is either ongoing or ‘impending’ at the time the suit is filed.” Id. at 4 (citing FTC v. Shire ViroPharma, Inc., 917 F.3d 147 (3d Cir. 2019)). In FTC v. AbbVie, Inc., the court cited Shire ViroPharma in dicta while holding the FTC cannot sue unless the conduct is “imminent or ongoing.” Id. Slaughter stated that decisions like this have hindered the FTC’s ability to settle cases because targets of investigations routinely argue they are immune to federal suits because they are no longer violating the law, even though they stopped after hearing the FTC is investigating them. Id. at 5. To that end, Slaughter encouraged Congress to enact legislation that would restore the FTC’s ability to seek equitable monetary relief on behalf of consumers.
Supreme Court Limits FTC Authority to Obtain Disgorgement or Restitution, Rejecting Decades of Precedent
By: Gabriel K. Gillett, Megan B. Poetzel, and Ariana Kanavy
In a high-profile decision in AMG Capital Management, LLC v. Federal Trade Commission, No. 19-508 (Apr. 22, 2021), the US Supreme Court held that the Federal Trade Commission’s (FTC) statutory authority to obtain a “permanent injunction” does not permit it to obtain “equitable monetary relief” such as restitution or disgorgement. The Court’s unanimous decision interpreted Section 13(b) of the FTC Act to “mean what it says”—contrary to what the FTC and many courts have long read the statute to mean—and strips the FTC of a tool it has often used in antitrust and consumer protection cases. If the FTC wants that tool back, the Court explained, it must look to Congress.
The path to the Court’s decision is relatively straightforward. In 2012, the FTC sued a payday lender, alleging deceptive practices in violation of § 5(a) of the Federal Trade Commission Act. Invoking § 13(b), which authorizes the FTC to obtain a “permanent injunction” in “proper cases” where a party “is violating, or is about to violate, any provision of law” that the FTC enforces, the FTC asked the District Court to grant a permanent injunction and order $1.27 billion in restitution and disgorgement. The District Court granted the request. On appeal, the Ninth Circuit affirmed based on binding circuit precedent holding that § 13(b) permitted the relief the FTC sought. Two of the three judges on the panel “expressed doubt as to the correctness of that precedent” as well as of similar precedent in at least eight other circuits stretching back more than thirty years.
In a unanimous decision, the Court validated the judges’ skepticism, rejected “precedent in many Circuits,” and held that § 13(b) does not permit the FTC to seek disgorgement and restitution. Looking to the text, the Court reasoned that “the language refers only to injunctions,” contemplates prospective (not retrospective) relief, and “the words ‘permanent injunction’ have a limited purpose” which “does not extend to the grant of monetary relief.” In addition, other provisions of the FTC Act (§ 5(l) and § 19) explicitly provide for limited equitable monetary remedies—but only after the FTC undertakes administrative proceedings that are “more onerous” than simply filing a complaint in federal court, obtains a cease and desist order, and satisfies various other conditions and limitations. Reading § 13(b) to permit the FTC to obtain the same relief without that additional process or those additional requirements “would allow a small statutory tail to wag a very large dog.” By contrast, reading § 13(b) “to mean what it says … produces a coherent enforcement scheme.”
The decision may have a major practical impact on those within the FTC’s purview. With this decision, the Supreme Court has taken away the FTC’s long-used, self-proclaimed “strongest tool” for obtaining monetary relief in cases alleging deceptive business practices, anti-competitive conduct, and fraud. For example, in 2019, the FTC invoked § 13(b) in “49 complaints in federal court and obtained 81 permanent injunctions and orders, resulting in $723.2 million in consumer redress or disgorgement.” And the FTC has been using § 13(b) with increasing frequency. For instance, the FTC “sought disgorgement in anti-trust cases four times between 2012 and 2016,” after seeking that relief only four times “in the prior twenty years.”
Going forward, if the FTC wants disgorgement or restitution in federal court it must first pursue administrative proceedings—and must contend with the statutory limitations on the FTC’s authority and the protections for defendants in Sections 5(l) and 19. As the Supreme Court noted, however, the FTC remains “free to ask Congress to grant it further remedial authority.” The agency has recently done so, and following the decision’s announcement the FTC renewed its call on Congress “to act swiftly to restore and strengthen the powers of the agency.” Time will tell whether Congress heeds that call. Meanwhile State Attorneys General may step up their own efforts to use state law to obtain monetary awards, or to partner with the FTC. So while the AMG decision may be welcome for businesses, it does not immunize them from being targeted for alleged misconduct or from potentially being required to pay large sums as a result.
 Id. at *10.
 Id. at *7.
 Id. at *8-9.
 Id. at *10.
 Statement by FTC Acting Chairwoman Rebecca Kelly Slaughter on the US Supreme Court Ruling in AMG Capital Management LLC v. FTC, Federal Trade Commission (April 22, 2021), https://www.ftc.gov/news-events/press-releases/2021/04/statement-ftc-acting-chairwoman-rebecca-kelly-slaughter-us.
 Id. at *6.
 Id. at *6.
 FTC Statement, supra note 5, https://www.ftc.gov/news-events/press-releases/2021/04/statement-ftc-acting-chairwoman-rebecca-kelly-slaughter-us.
 See Brief Amici Curiae of States of Illinois, et al. (Dec. 7, 2020), https://www.supremecourt.gov/DocketPDF/19/19-508/156629/20201002130714167_19-508_19-825%20Chamber%20Of%20Commerce%20Amicus.pdf
 See, e.g., Brief Amici Curiae of Chamber of Commerce of the United States, et al. (Oct. 2, 2020), https://www.supremecourt.gov/DocketPDF/19/19-508/156629/20201002130714167_19-508_19-825%20Chamber%20Of%20Commerce%20Amicus.pdf
UK Establishes New Big Tech Watchdog
By: Michaela M. Croft
On 7 April 2021, the UK Government announced a new tech regulator to “curb the dominance of tech giants” in the digital advertising space to “promote dynamic and competitive digital platform markets” for the benefit of online consumers and small businesses. The newly formed Digital Markets Unit (the DMU) will sit as its own division within the Competition and Markets Authority (the CMA). The UK Government previously announced in November 2020 that it was creating a watchdog to tackle the perceived harm caused by the dominant market position of a small number of players in the online advertising space that hold strategic market status.
Currently set up in a shadow, non-statutory form pending the granting of full powers, the DMU’s first task is to draw up codes of conduct with a view to governing the relationship between tech firms and their users. According to Andrew Coscelli, the Chief Executive of the CMA, the DMU plans to oversee an overhaul of online advertising to ensure consumers “enjoy the choice, secure data and fair prices that come with a dynamic and competitive industry” with a view to creating a “level playing field in digital markets” in the UK. It is the latest step in a line of actions taken by the CMA to address the findings in its July 2020 market study into online platforms and digital markets, which found that “competition is not working well in these markets, leading to substantial harm for consumers and society as a whole”. The UK Business Secretary, Kwasi Kwarteng MP, has confirmed that the aim of the DMU is intended to be “unashamedly pro-competition”.
In its initial response to the CMA’s invitation to comment back in 2019, Facebook supported increased regulation but argued that a proper market definition analysis would identify that “competition between user platforms is [already] thriving in the UK”.
Whilst the DMU will need to wait for legislators to make any code of conduct law before action can be taken, it is envisaged that the DMU will work hand-in-hand with the CMA enforcement team to continue the CMA’s crack down on digital firms. It remains to be seen how the balance will be struck between the potentially competing demands of making the UK a post-Brexit friendly tech centre, and protecting online consumers.
The CMA’s full press release can be read here.
Supreme Court Answers the Call: Clarifies Meaning of “Automatic Telephone Dialing System” under the TCPA
By: Madeleine V. Findley and Emma J. O’Connor
On April 1, 2021, the Supreme Court of the United States unanimously reversed the Ninth Circuit Court of Appeals decision in Facebook Inc. v. Duguid et al., No. 19-511, and held that in order for a device to be an “automatic telephone dialing system” (ATDS), a key term in the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. § 227, it must have the capacity to use a random or sequential number generator to either store or produce phone numbers to be called. This decision represents a significant victory for entities defending against TCPA claims.
The TCPA prohibits making calls or sending text messages to mobile telephones using an ATDS (often simply referred to as an “autodialer”) without the prior express consent of the recipient. What precisely that means has become a heated dispute in TCPA litigation because using an ATDS to place a call is an essential component of many TCPA claims. The statute defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called using a random or sequential number generator; and (B) to dial such numbers.” Lower courts had split on the provision’s meaning. The Third, Seventh, and Eleventh Circuits interpreted the provision narrowly, holding that an ATDS must have the capacity to generate random or sequential phone numbers, not merely to store and dial the numbers automatically. The Second, Sixth, and Ninth Circuits had taken a broad approach, holding that an ATDS need only have the capacity to store numbers to be called and to dial those numbers automatically.The Supreme Court Duguid answered the question of whether a device constitutes an ATDS if it can “store” and dial telephone numbers, even if it does not “us[e] a random or sequential number generator.” It took the narrow view.
The Duguid plaintiff claimed Facebook, Inc. (Facebook) violated TCPA when it allegedly sent him text messages to alert him to login activity on a Facebook account linked to his telephone number, even though he never created that account (or any account on Facebook) and had not provided his phone number to Facebook. The text messages at issue were sent to the plaintiff using Facebook’s login notification system, which automatically sends users text notifications when someone attempts to log in to the user’s account from an unknown device or browser, but which does not use a random or sequential number generator.
In Duguid, the parties’ respective positions hinged on the syntax of the statutory definition of an ATDS. Facebook argued that to constitute an ATDS, the equipment must use a random or sequential number generator, because the clause “using a random or sequential number generator” modifies both verbs, “store” and “produce.” The plaintiff, however, argued that a number generator was not required for a device to be an ATDS, because “using a … number generator” applies only to “produce,” and therefore the statute prohibits the use of equipment with the capacity “to store … numbers to be called” and to dial them.
The Court sided with Facebook, reasoning that “[u]nder conventional rules of grammar, ‘[w]hen there is a straightforward, parallel construction that involves all nouns or verbs in a series,’ a modifier at the end of the list ‘normally applies to the entire series.’” The Court also concluded that the statutory context confirmed this reading, because the plaintiff’s proposed interpretation “would capture virtually all modern cell phones,” which can store and dial numbers. Therefore, in the Court’s view, the more expansive reading would mean that “ordinary cell phone owners” could face TCPA liability “in the course of commonplace usage, such as speed dialing or sending automated text message responses.”
Justice Sotomayor, joined by seven justices, wrote the Court’s opinion. Justice Samuel Alito concurred in the judgment, but wrote separately to opine on the limitations of the Court’s “heavy reliance” on the “series-qualifier canon,” noting that interpretive canons “are not ‘rules’ of interpretation in any strict sense but presumptions about what an intelligently produced text conveys.”
The Supreme Court’s decision will likely have a profound impact on TCPA litigation, as the use of an ATDS is a necessary element of many TCPA claims. But the decision is unlikely to “unleash” a “torrent of robocalls,” as Duguid had argued, because the TCPA’s other restrictions still stand, such as prohibiting artificial or prerecorded voice calls to residential and wireless numbers.
And backlash to the decision was swift. In an April 1 joint statement, Senator Edward J. Markey (D-Mass.) and Representative Anna G. Eshoo (CA-18) criticized Duguid as “toss[ing] aside” an “essential consumer protection,” and described it as “disastrous for everyone who has a mobile phone in the United States.” Further, the legislators—who had led 19 members of Congress in submitting an amicus brief supporting the Ninth Circuit’s broader reading of ATDS—stated that “
y narrowing the scope of the TCPA, the Court is allowing companies the ability to assault the public with a non-stop wave of unwanted calls and texts, around the clock.”
Senator Markey and Representative Eshoo declared an intent to introduce legislation to “fix the Court’s error” and amend the TCPA.
The Court’s ruling provides welcome clarity and uniformity on a contested issue. It notably also eliminates the need for the FCC to provide an interpretation of ATDS, as the 2018 remand of ACA Int’l v. FCC otherwise would have required. But it does not eliminate TCPA risks for callers. Companies must still be prudent about which technologies they use to contact consumers. Companies should also ensure they still comply with the other requirements of the TCPA, such as the ban on placing pre-recorded telemarketing calls to residential telephone numbers without the prior express written consent of the recipient or placing calls to numbers on the Do Not Call registry; and should still maintain proper records to demonstrate that they only market to consumers who have provided consent. Additionally, businesses should train employees on TCPA compliance, and must ensure that all of their third-party vendors comply with the TCPA, including by not using a proscribed ATDS to contact customers. Because Duguid applies only to the TCPA, companies must also confirm that they comply with other state and federal robocall laws.
 Duguid v. Facebook, Inc., 926 F.3d 1146 (9th Cir. 2019), cert. granted in part, 141 S. Ct. 193 (2020), and rev'd and remanded, No. 19-511, 2021 WL 1215717 (U.S. Apr. 1, 2021).
 Facebook, Inc. v. Duguid, No. 19-511, 2021 WL 1215717, at *2 (U.S. Apr. 1, 2021).
 47 U.S.C. § 227(a)(1). The TCPA is a strict liability statute that provides a private right of action for individuals to sue for and obtain $500 for each violation of the act, trebled to $1,500 for a willful violation. Id. at § 227(b)(3).
 Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 468 (7th Cir. 2020) (Barrett, J., for the court); Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306–07 (11th Cir. 2020); Dominguez v. Yahoo, Inc., 894 F.3d 116, 119 (3d Cir. 2018).
 Duguid, 926 F.3d at 1151–52; Duran v. La Boom Disco, Inc., 955 F.3d 279, 290 (2d Cir. 2020); Allan v. Pennsylvania Higher Educ. Assistance Agency, 968 F. 3d 567, 579–80 (6th Cir. 2020).
 Facebook, Inc., 2021 WL 1215717, at *2.
 First Am. Compl. ¶¶ 21-37, Duguid v. Facebook, Inc., No. 3:15-cv-00985, 2016 WL 10518965 (N.D. Cal. Apr. 22, 2016).
 Facebook, Inc., 2021 WL 1215717, at *3.
 Id. at *3, *5.
 Id. at *4.
 Id. at *6.
 Id. at *8 (Alito, J., concurring).
 Id. at *7.
 Senator Markey and Rep. Eshoo Blast Supreme Court Decision on Robocalls as “Disastrous,” SENATOR EDWARD MARKEY OF MASSACHUSETTS (Apr. 1, 2021), https://www.markey.senate.gov/news/press-releases/senator-markey-and-rep-eshoo-blast-supreme-court-decision-on-robocalls-as-disastrous.
 ACA Int’l v. Fed. Commc’ns Comm’n, 885 F.3d 687 (D.C. Cir. 2018).
Does Novel “Greenwashing” Enforcement Action Portend a New Trend?
By: Todd C. Toral and PJ M. Novack
Lawsuits over alleged misleading environmental marketing claims, or “greenwashing,” are nothing new. It has been nearly 30 years since the Federal Trade Commission (FTC) released its first version of the “Green Guides,” which are intended to help marketers avoid the practice. Since then, there have been many greenwashing actions before the FTC. More broadly, the FTC has pursued a number of suits in federal court, such as false advertising claims over the terms “clean diesel” and “100% organic.” But last month, in a first, several environmental groups petitioned the FTC to use its Green Guides offensively against a fossil fuel company for “misleading consumers on the climate and environmental impact of its operations.”
On March 16, 2021, Earthworks, Global Witness, and Greenpeace USA filed a complaint against Chevron for misleading consumers through advertisements that exaggerate the company’s investment in renewable energy and its commitment to reducing fossil fuel pollution. The action comes on the heels of Chevron’s new “Climate Change Resilience” report, where Chevron outlined its contributions against climate change. The environmental groups argue that Chevron misrepresents its image to appear climate-friendly and racial-justice oriented, while actually doing more harm than good. In support of their claims, the environmental groups point out that Chevron is the second most polluting company in the world and had spent only 0.2% of its capital expenditures on low-carbon energy sources between 2010-2018.
Considering the recent change in administrations, this action may represent a new trend where consumer and environmental groups are willing to take on major oil companies by petitioning a potentially more consumer-friendly FTC. President Biden currently has an opportunity to fill the vacant FTC seat and tip the balance of power toward Democrats. Moreover, President Biden has signaled his personal support for environmental causes by halting oil and gas sales and canceling the Keystone XL crude pipeline. Given the shifting sands, companies should be prepared for new and perhaps more creative enforcement actions.
Kang v. PF Chang’s, Inc.: Reasonable Consumer Deception, or Just a “Crabby” Plaintiff?
By: Alexander M. Smith
On February 9, 2021, the Ninth Circuit—in a split decision with a spirited dissent—reversed the dismissal of a consumer class action challenging P.F. Chang’s’s use of the phrase “krab mix” to describe sushi rolls that contain no real crab. Although Kang is an unpublished case and breaks little new legal ground, the two opinions offer a useful glimpse into how both defendants and plaintiffs frame their positions in false advertising lawsuits, and they highlight how easily judges can come to radically different conclusions in consumer class actions, even when faced with the same facts and law.
In Kang, the plaintiff alleged that P.F. Chang’s’s sushi rolls were deceptively labeled because they purported to contain “krab mix,” but did not include any crab at all. Judge Anderson of the Central District of California dismissed the plaintiff’s lawsuit, holding that no reasonable consumer would be deceived into believing that “krab mix” contained crab. The Ninth Circuit reversed. Judge Friedland and Judge Watford—writing for the panel majority—emphasized that “determining whether reasonable consumers are likely to be deceived will usually be a question of fact not appropriate on a motion to dismiss.” Applying this standard, the panel majority concluded that the plaintiff had plausibly alleged that the “inclusion of the term ‘krab mix’ in the ingredient list for certain of its sushi rolls is likely to deceive reasonable consumers into thinking that the sushi rolls contain at least some real crab meat when in fact they contain none.” Although P.F. Chang’s offered several reasons that this interpretation was implausible, the panel majority rejected them all:
The panel majority rejected P.F. Chang’s’s argument that the “fanciful” term “krab mix” suggested the absence of real crab. Although the panel majority agreed that “reasonable consumers confronted with the fanciful spelling of ‘krab’ on the menu would not assume they were purchasing a sushi roll with 100% real crab meat,” it nonetheless concluded that the plaintiff had plausibly alleged that the term “krab mix” suggests that the product contains “a mixture of imitation and real crab.” In contrast to cases where the challenged term has a specific, widely-understood meaning (such as “diet” soft drinks), the panel majority held that “there is no prevailing understanding that listing ‘krab mix’ as an ingredient in a sushi roll signifies that the item contains no real crab meat.” And in contrast to a case where the “fanciful” term appears in the name of the product (such as “Froot Loops”), the panel majority concluded that the term was at least plausibly misleading because it appeared in the ingredient list.
The panel majority rejected P.F. Chang’s’s argument that the relatively low price of the sushi rolls suggested that they contained no real crab, and it found that this issue was not susceptible to resolution on a motion to dismiss.
The panel majority rejected P.F. Chang’s’s argument that a reasonable consumer would not be misled by the use of the term “krab mix” because other menu items included “crab” in the ingredients list. Much as a reasonable consumer should not be expected to look at the ingredient list on the packaging of a food to correct a misrepresentation elsewhere on the packaging, the panel majority concluded that “we cannot assume that reasonable consumers would necessarily look past the term ‘krab mix’ in the item they were ordering to notice that ‘crab’ appeared as an ingredient in other items on the same menu.” For similar reasons, the panel majority rejected P.F. Chang’s’s argument that the use of the term “crab” elsewhere on the menu served as “qualifying language” that corrected the alleged misimpression arising from the term “krab mix”—particularly since “that language does not appear immediately next to the representation that it purportedly qualifies.”
Judge Bennett vigorously dissented. The first paragraph of his opinion struck a dramatically different tone than the panel majority:
Class representative Chansue Kang bought sushi rolls on April 12, 2019, according to his opening brief. His complaint contends he bought the appetizer because he read and relied on the “false and misleading” menu description “krab mix.” Kang claims that he believed he was getting crab. He further claims that he wouldn’t have bought the “krab” had he known “krab” wasn’t crab. Thus, he tells us he was “deceived.” His complaint states that on April 29, 2019, he gave pre-suit notice by certified mail. So, in a seventeen-day period: (1) Plaintiff was unfairly bamboozled by P.F. Chang’s into thinking “krab” was crab; (2) Plaintiff discovered the horrible truth that “krab” wasn’t crab; (3) Plaintiff found a crusading attorney; (4) that attorney somehow confirmed the horrible truth; and (5) that attorney drafted and mailed a pre-suit letter. Remarkable diligence!
After setting this stage, Judge Bennett then noted that the standard for consumer deception “is not whether the ‘least sophisticated’ or ‘most gullible’ consumer would be misled by the term ‘krab mix,’ but whether a significant portion of ordinary consumers, acting reasonably, would think ‘krab mix’ contains real crab meat.” From his perspective, he noted, the panel majority “fails to give the ordinary California consumer enough (or any) credit.” For example, he noted that “‘Krab’ with a ‘k’ should be a dead giveaway,” as consumers “understand that fanciful spellings materially change the meaning of a word.” Much as a reasonable consumer would not conclude that Froot Loops contain real fruit, that “cavi-art” contains real caviar, or that “tofurky” contains real turkey, an “ordinary consumer” acting with “ordinary common sense” would not conclude that “krab mix” contained real crab meat. Moreover, because “krab” is indisputably different from “crab,” Judge Bennett reasoned, no reasonable consumer could conclude that “krab mix” contains real crab, as opposed to “a mixture of ‘krab’ and other ingredients.” While “[c]onsumers may be unsure about what exactly those ingredients are,” Judge Bennett explained, “that doesn’t make it reasonable to assume one of those ingredients will be crab.”
“Context matters too,” Judge Bennett then explained, “and it does not support the majority’s conclusion.” In contrast to the panel majority, which placed little stock on the fact that other products featured “crab” in the ingredients list, Judge Bennett found that this fact defeated the plaintiff’s theory of deception: “[W]hen confronted with both ‘krab mix’ and ‘crab’ on the same menu,” Judge Bennett noted, “such a consumer knows that one is not another.” Although Judge Bennett acknowledged that a manufacturer ordinarily cannot use an ingredients list on a box to correct an affirmative misrepresentation on the front of the package, he emphasized that “the ingredient list on product packaging . . . is nothing like a restaurant menu.” While the ingredient list “exists to satisfy regulatory requirements,” “is almost always tucked away on the back or side of the product label,” and “is usually expressed in very small print,” Judge Bennett explained, “[t]he same cannot be said for items or ingredients on a menu that are placed on equal footing with, and on the same page as, the alleged misrepresentation.” Even if a “hasty diner . . . might fixate on sushi rolls with ‘krab mix’ to the exclusion of all other items on the menu,” Judge Bennett concluded that this “approach to ordering food doesn’t bear any resemblance to the real dining experience of consumers.”
Ultimately, the panel majority and Judge Bennett came to diametrically opposed—and incompatible—conclusions. The panel majority, like many plaintiffs in false advertising class actions, focused on the purported difficulty of resolving factual questions about the deceptive effect of the labeling at the pleading stage, and it relied on many of the most common cases cited by plaintiffs in false advertising class actions. Judge Bennett, in turn, relied more on many of the common themes raised by defendants in these cases—including, most importantly, that “context matters” and that reasonable consumers must be expected to apply “common sense.” And while the panel majority did not frame its result in policy terms, Judge Bennett did not hesitate to point out that the decision did not help protect consumers; to the contrary, he explained, “[t]he real harm here comes from allowing such implausible claims as Plaintiffs’ to proceed, which will increase costs to all consumers.”
While Kang is hardly groundbreaking, it undoubtedly serves as a microcosm for the issues that recur at the pleading stage in virtually every food labeling case. And just as importantly, it underscores that the decision may depend as much on the judge’s orientation to consumer fraud cases as any other factor.
What to Expect from Director Rohit Chopra’s CFPB
By: Kali Bracey and Erica S. Turret
President Biden has nominated Federal Trade Commission (FTC) Commissioner Rohit Chopra to serve as Director of the Consumer Financial Protection Bureau (CFPB). Commissioner Chopra served as the agency’s Assistant Director and first Student Loan Ombudsman prior to his appointment to the FTC in 2018. The CFPB under his leadership will shift to the more aggressive posture of the Obama administration and return the agency to its consumer watchdog mission. His vision is aligned with that of Senator Elizabeth Warren whom he helped to set up the agency after the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010.
Because of the Supreme Court’s decision in Seila Law holding that the President has the power to fire the CFPB Director, the CFPB more closely carries out the current administration’s agenda than was intended in the Dodd-Frank Act which had sought to structure the bureau as an independent agency. Thus, Commissioner Chopra, once in office, will be able to quickly chart the agency on a new, more muscular course.
Regulated entities can expect enforcement to ramp up as the agency reverses efforts by the Trump administration to reduce the agency’s impact. CFPB enforcement activity decreased by 54 percent under the leadership of Trump appointees. Focus areas for a reinvigorated CFPB are likely to include:
Student Loans: Given his experience, a Director Chopra will make student debt a top priority with the goal of continuing the work he started as Ombudsman. The bureau will likely crack down on student loan servicers and lenders to ensure they follow the law and adequately serve student borrowers. The CFPB will also likely resume Obama-era efforts to increase transparency in the student loan process and create additional resources for borrowers. In addition to increased enforcement actions, the CFPB will likely also create new regulations (including possible federal student-loan servicing guidelines) for the industry and step up its oversight and monitoring functions, closely collaborating with the Department of Education and state regulators. The CFPB is also likely to step up enforcement actions against for-profit colleges.
COVID-19 Relief: The CFPB may take a more forceful approach in enforcing the consumer protection provisions of the CARES Act and other federal relief legislation, such as the requirement to offer borrowers extended periods of mortgage and student loan repayment forbearance. A more active CFPB will aggressively pursue violations and go after allegedly unfair debt collection practices. Commissioner Chopra has pointed to inequities in the distribution of relief funds, highlighting the underrepresentation of small businesses among recipients.  This suggests that he will prioritize the CFPB’s role in monitoring the implementation of federal stimulus legislation.
Fair Lending: Regulation and enforcement that prioritizes equity issues is likely. In addition to being a focus area for the Biden administration, Commissioner Chopra has advocated for the use of disparate impact analysis to detect and work to eliminate discriminatory lending practices. The CFPB’s enforcement of the Equal Credit Opportunity Act to challenge discriminatory practices will likely increase. Commissioner Chopra has highlighted the way in which mass data surveillance can be discriminatory and harm consumers, suggesting increased data collection efforts and agency action in this space.
Credit Reporting and Data Protection: While at the FTC, Commissioner Chopra has discussed the importance of credit reporting protections and has emphasized the role of the CFPB in supervising credit bureaus. He has focused on the technology industry and frequently discusses online predatory practices that harm consumers, suggesting that these will be likely areas of focus for him at the CFPB.
Payday Lending: The CFPB is likely to bring back former CFPB Director Richard Cordray’s Small Dollar Rule which would have required lenders to determine whether borrowers would be able to repay their loans prior to granting them. There is current litigation regarding the 2020 rescission of the Rule, which the new CFPB could rely on to reconsider the rescission. The bureau is sure to increase enforcement actions in this area as well, against allegedly predatory or unfair lending in violation of the Dodd-Frank Act.
Large Financial Institutions: A more muscular CFPB is more likely to bring actions against larger, more powerful institutions including the country’s largest banks and lenders. The bureau will also pursue larger penalties for violations. At the FTC, Commissioner Chopra has consistently advocated for stronger enforcement actions against large companies. During his tenure, he has voted against several FTC settlements with companies that he views as insufficient and too lax (particularly no dollar settlements) and has advocated for larger penalties for repeat violators. He emphasizes the dangers of monopolization and the power of large companies compared to small business and consumers.
Thus, regulated entities can expect increased activity from a CFPB led by Rohit Chopra. In addition to a return to the more aggressive enforcement posture of former Director Richard Cordray, who was appointed by President Obama, a Director Chopra will bring his own set of priorities to the bureau. The issue areas outlined here are likely to take center stage in this new era for the Consumer Financial Protection Bureau.
 Statement of Commissioner Rohit Chopra Regarding the 10th Anniversary of the Enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, (July 21, 2010), https://www.ftc.gov/system/files/documents/public_statements/1578363/chopra_-_statement_on_dodd-frank_anniversary.pdf.
 Senator Elizabeth Warren, (Jan. 18, 2020), https://twitter.com/SenWarren/status/1351168329071915008.
 Seila Law LLC v. Consumer Fin. Prot. Bureau, 140 S. Ct. 2183, 207 L. Ed. 2d 494 (2020).
 Consumer Carnage: How Federal Enforcement of Consumer-Protection Laws Has Declined Under Trump, Public Citizen, (Mar. 13, 2019), https://www.citizen.org/wp-content/uploads/migration/consumeragencies.pdf.
 Written Testimony before the Committee on Budget, (June 4, 2014), https://www.consumerfinance.gov/about-us/newsroom/written-testimony-of-rohit-chopra-before-the-committee-on-the-budget/; Written Testimony of
FTC Commissioner Rohit Chopra Before the US House of Representatives Committee on Financial Services
“Examining Legislation to Protect Consumers and Small Business Owners from Abusive Debt Collection Practices,” (Sept. 26, 2019), https://www.congress.gov/116/meeting/house/110015/witnesses/HHRG-116-BA00-Wstate-ChopraR-20190926.pdf.
 Written Testimony of FTC Commissioner Rohit Chopra Before the US House of Representatives Committee on Financial Services “Examining Legislation to Protect Consumers and Small Business Owners from Abusive Debt Collection Practices,” (Sept. 26, 2019), https://www.congress.gov/116/meeting/house/110015/witnesses/HHRG-116-BA00-Wstate-ChopraR-20190926.pdf.
 Richard Cordray, White Paper: Immediate Actions for CFPB to Address Covid-19 Crisis, (Apr. 6, 2020), https://medium.com/@RichCordray/cfpbwhitepaper-193a5aed0d75.
 Senators Elizabeth Warren and Sherrod Brown, Congress Must Provide Immediate Relief for Consumers. Here’s How, (Apr. 21, 2020), https://medium.com/@SenWarren/congress-must-provide-immediate-relief-for-consumers-heres-how-2aeb99672ef9.
 Rohit Chopra, (Apr. 21, 2020), https://twitter.com/chopraftc/status/1252671473120051201.
 Comment Submitted by Rohit Chopra, Federal Trade Commission to the Department of Housing and Urban Development on the Disparate Impact Proposed Rulemaking, (posted on Oct. 17, 2019), https://beta.regulations.gov/comment/HUD-2019-0067-1960; Statement of Commissioner Rohit Chopra
In the Matter of Liberty Chevrolet, Inc. d/b/a Bronx Honda Commission File No. 1623238, (May 27, 2020), https://www.ftc.gov/system/files/documents/public_statements/1576002/bronx_honda_final_rchopra_bronx_honda_statement.pdf.
 Introductory Remarks of Commissioner Rohit Chopra, National Fair Housing Alliance 2020 National Conference, (Oct. 6, 2020), https://www.ftc.gov/system/files/documents/public_statements/1581594/final_remarks_of_rchopra_to_nfha_v3.pdf.
 Rohit Chopra: Consumer Protection in an Age of Uncertainty Keynote Conversation (Day 2), (Mar. 22, 2019), https://fordschool.umich.edu/video/2019/rohit-chopra-consumer-protection-age-uncertainty-keynote-conversation-day-2.
 Written Testimony of FTC Commissioner Rohit Chopra before the US House of Representatives Committee on the Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law Hearing on Online Platforms and Market Power, Part 3: The Role of Data and Privacy in Competition, (Oct. 18, 2019), https://www.ftc.gov/system/files/documents/public_statements/1549812/chopra_-_testimony_at_hearing_on_online_platforms_and_market_power_part_3_10-18-19.pdf.
 Statement of Commissioner Rohit Chopra Regarding the 10th Anniversary of the Enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, (July 21, 2010), https://www.ftc.gov/system/files/documents/public_statements/1578363/chopra_-_statement_on_dodd-frank_anniversary.pdf; Rohit Chopra, (Mar. 6, 2020), https://twitter.com/chopraftc/status/1235964374684221441.
 Rohit Chopra: Consumer Protection in an Age of Uncertainty Keynote Conversation (Day 2), (Mar. 22, 2019), https://fordschool.umich.edu/video/2019/rohit-chopra-consumer-protection-age-uncertainty-keynote-conversation-day-2; Rohit Chopra and Samuel A.A. Levine, The Case for Resurrecting the FTC’s Penalty Offense Authority,(Nov. 3, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3721256.
Consumer Finance Observer – Winter 2021 Edition
Jenner & Block has published its sixth issue of The Consumer Finance Observer or CFO, a newsletter providing analysis of key consumer finance issues and updates on important developments to watch. As thought leaders, our lawyers write about the consumer finance sector on topics ranging from biometric data, compliance, data security, FinTech, lending, and securities litigation.
In the Winter 2021 issue of the CFO, our consumer finance lawyers discuss: California's passing of Proposition 24; CCPA's Private Right of Action; California's new Consumer Financial Protection Law; betting on an athlete's biometric data; Colorado's right to enforce its consumer loan interest rates; LendIt 2020, the largest FinTech conference of the year; a recent enforcement action by the SEC and the CFTC in the FinTech space; and European Data Protection Board's guidance on personal data transfers following Schrems II. Contributors are Partners Kelly Hagedorn, Charles D. Riely, Michael W. Ross, David P. Saunders, Kate T. Spelman, and Wade A. Thomson; Special Counsel David W. Sussman; Associates Vivian L. Bickford, Effiong K. Dampha, Michael F. Linden, E.K. McWilliams, Madeline Skitzki, and Matthew Worby; and Staff Attorney Alexander N. Ghantous.
To read the full newsletter, please click here.
EDPB Provides Guidance on Personal Data Transfers Following Schrems II
By: Kelly Hagedorn, David P. Saunders, and Matthew Worby
Earlier this year, in Schrems II, the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield. That judgment also cast doubt over the validity of standard contractual clauses (SCCs) as a means by which to transfer personal data outside of the EU, in particular to the United States. Unsurprisingly, this has caused concern within organisations who rely on such transfers as part of their business model.
Data protection requirements, imposed by the GDPR, travel with any personal data whenever it is transmitted outside of the EU. Problems arise when an organisation needs to transfer personal data to a jurisdiction where local laws might undermine these protections. Without some way to manage this potential conflict, it was unclear if organisations’ personal data transfers outside of the EU would be able to continue.
Unfortunately, the CJEU provided no practical guidance for organisations as to how to make international personal data transfers compliant with its ruling and did not provide any safe harbour period before its ruling took effect. In recent days, however, two key efforts have been made to assist organisations meet their post-Schrems II GDPR requirements:
recommendations have been issued by the European Data Protection Board (EDPB); and
a revised set of SCCs has been published by the European Commission for consultation.
Recommendations Issued by the EDPB
The EDPB has published a practical roadmap for organisations seeking to transfer personal data internationally in a compliant manner in the wake of Schrems II. This roadmap sets out six recommended steps:
Map all transfers of personal data
As a first step, organisations should identify and catalogue all of their international personal data transfers. The EDPB used this opportunity to remind organisations that remote access to personal data, or the cloud storage of personal data, may constitute transfers to be included in this exercise.
Verify that this personal data is being transferred in a compliant manner
Once the data flows have been catalogued, the tool (for example, SCCs) that each transfer relies upon must be identified.
An international transfer of personal data should not proceed without an appropriate transfer tool in place. The transfer tools available are (i) an adequacy decision in respect of the recipient country made under Article 45 of the GDPR, (ii) one of the mechanisms provided for under Article 46 of the GDPR, including SCCs and Binding Corporate Rules, or (iii) one of the derogations provided for in Article 49 of the GDPR (such as public interest).
Assess if there is any law or practice in the receiving country that would limit the effectiveness of the safeguards created by the transfer mechanism in use
The third step requires organisations to assess each transfer tool, and identify – on a practical level – if each tool being relied upon protects personal data to the level required by the GDPR.
Of principal concern, per the EDPB, is the existence of “anything in the law or practice of the [receiving country] that may impinge on the effectiveness of the appropriate safeguards” being relied upon. Schrems II highlighted the difficulties posed by the US’ mass surveillance programmes in this regard. If a transfer tool is unable to provide an adequate level of protection, despite otherwise being valid, it should not be used alone as a means of transferring personal data outside of the EU.
Where an assessment is required, the EDPB recommends that this should be based on an objective review of the receiving country’s legislation or, if this is not possible, “other relevant and objective factors”. This assessment should not take into account any subjective factors, such as the type of data being transferred. If the receiving country’s laws do not allow for personal data to be protected, then further action, as detailed in step 4 below, will be required.
It is possible that a country’s legislation empowers national security agencies to access personal data. If this is the case, the assessment should consider (i) the extent to which these powers are limited to what is necessary or proportionate in a democratic society, or (ii) if they breach EU standards.
Any such assessment will be a complex undertaking. Helpfully, however, the EDPB does provide practical and positive recommendations in this regard. In particular, the EDPB notes that:
it is possible to conclude following an assessment that any potential interference permitted by a country’s laws will be limited to a similar degree to that to level of potential interference allowed under the GDPR; and
the existence of a comprehensive data protection law, or an independent data protection authority, can indicate that a country’s potential interference with personal data protections can be considered proportionate.
This is a pragmatic approach from the EDPB and seems to be designed to empower organisations to make positive decisions as to the ability to transfer personal data internationally, where appropriate.
In any event, the assessment should be clearly documented and undertaken carefully. The EDPB notes that organisations will be held accountable for the decisions made based on the assessment.
Identify and adopt any additional measures as necessary to bring the level of protection for this data to the level required by the GDPR
It is possible that a company concludes that the transfer tool they intend to rely on, by itself, will not provide the required level of protection for personal data. This may be the case with transfers to the US in light of Schrems II. The EDPB has however provided companies with suggestions as to how supplementary measures can be used to continue data transfers even if the tool for transfer alone is insufficient.
These supplementary measures are categorised as being of a technical, contractual, or organisational nature. All three, when used in combination, are likely to be most effective in ensuring compliance with the GDPR.
The technical measures suggested by the EDPB include:
Pseudonymisation, where the personal data being transferred is altered such that an individual can no longer be identified without further information; and
Split processing, where the personal data is segmented and provided to separate parties, such that no one party can identify an individual from the data it receives.
The contractual measures listed by the EDPB include imposing obligations on recipients of the personal data to implement appropriate technical measures, or a requirement for relevant legislative developments within the recipient country to be brought to the attention of the data exporter by the recipient.
Organisational measures relate to internal policies or methods, intended to improve a company’s awareness of the risks present in transferring personal data outside of the EU.
It is important to note that these supplementary measures must be capable of ensuring, in conjunction with a transfer tool, that the level of data protection provided will meet the level required by the GDPR. If this is not the case then the transfer should not proceed.
Take formal procedural steps if required
Where supplementary measures are identified and implemented, certain formalities may need to be completed. These should be completed prior to any international transfer of personal data.
Periodically re-evaluate the level of protection these transfers enjoy
Finally, once this process has been concluded, organisations should ensure that they monitor any developments in countries where personal data has been transferred. In the event there are any developments, these six steps should then be re-visited to ensure continued compliance with the GDPR.
Draft SCCs Published by the European Commission
Seemingly drafted with the EDPB guidance in mind, the European Commission has proposed a new set of SCCs. This document, currently published in draft form, is open for consultation until 10 December 2020. It is currently unclear when the final version of the revised SCCs will be published.
Importantly, and not entirely in response to Schrems II or the EDPB guidance, these draft SCCs represent a clear attempt by the European Commission to provide as practical a set of SCCs as possible. For example, the draft SCCs:
Cater for international data transfers from a data processor to another data processor, a long overdue development;
Set out a new modular approach, allowing for parties to use one single template document to govern transfers from (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-processor and (iv) processor-to-controller; and
Reference the need for parties, using whichever module, to assess what constitutes an “appropriate level of security” for a transfer, account for the risks involved in a transfer, and then undertake due consideration of the technical measures that would be appropriate to safeguard a transfer.
In perhaps one of the more significant concessions to businesses put into some difficulty by Schrems II, the European Commission’s draft measures currently provide for a year’s grace period to implement these new clauses. This would give organisations time to transition from the previous form of SCCs (subject to implementing any required supplementary measures in the meantime) to the new version, whenever these are finalised.
In the face of the uncertainty that Schrems II created, it is to be welcomed that the EDPB and European Commission have sought to provide practical guidance to organisations. This uncertainty has been compounded by the impending end of the Brexit transition period on 31 December 2020, following which personal data transfers from the EU to the UK will need to rely on an effective and reliable transfer tool. The finalisation of the new SCCs will allow for greater stability in that regard. It is a fact that many businesses rely on international personal data transfers for various reasons, and a recognition that these should be facilitated as far as possible is a positive step.
Organisations now face the task on implementing the EDPB’s recommendations, which is where their utility and practicality will really be tested.
 Case C-311/18, available here.
 The EDPB is the body within the EU tasked with ensuring that data protection rules are applied consistently within the bloc.
 It should be noted that, where the transfer of personal data relies on an adequacy decision, no further steps need to be taken in this regard, apart from ensuring on a periodic basis that this decision is still in force. This is because, unlike other transfer mechanisms, an EU adequacy decision in effect states that there are no laws or practices that would undermine data protection rights in that jurisdiction.
 Greater guidance is available from the EDPB, available here. Broadly, EU standards are as follows:
Processing should be based on clear, precise and accessible rules.
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
An independent oversight mechanism should exist.
Effective remedies need to be available to the individual.
 Such formalities include, for example, where parties seek to deviate from the SCCs, or the technical measures that are required in some way contradict the SCCs. In such an instance prior approval from the appropriate Data Protection Authority would be required before any international transfer of personal data occurs.
California Passes Proposition 24: California Privacy Rights Act to Become Law
By: David P. Saunders, Kate T. Spelman, and Effiong K. Dampha
Privacy was on the ballot this November, at least in California. And it appears that enough people voted in favor of Proposition 24, the California Privacy Rights Act (CPRA), for it to become law. Although the CPRA technically becomes effective five days after the California Secretary of State certifies the voting results, the bulk of the law – which is an overhaul of the California Consumer Privacy Act (CCPA) – will not come into force until January 1, 2023. Businesses have some time to prepare for the most significant changes, which we have written about previously. Those changes include handling a new category of “sensitive personal information,” the expansion of the existing CCPA private right of action, and mandatory changes to company privacy policies. So what happens to the CCPA, and what do businesses have to prepare for? The answer is not much in the short term.
Until the CPRA becomes fully effective in 2023, the CCPA remains in full effect. That means businesses should keep up with their CCPA compliance, including being attentive to new California Attorney General regulations. The following CPRA provisions – which largely do not impact businesses directly – will become effective once the California Secretary of State certifies the voting results:
An extension of the carve out for business contact and employee personal information that is collected by businesses covered by the CCPA. In the existing CCPA, these carve outs were set to expire on January 1, 2021. The carve outs will now be extended to January 1, 2023.
A Consumer Privacy Fund will be created – with appropriations to be made by the legislature – with the purpose of “offsetting the costs” of state courts and the California Attorney General enforcing the CCPA (and later the CPRA). The fund will also be used “to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations” in connection with addressing consumer data breaches.
The California Attorney General will be charged with developing a laundry list of new regulations, which will put meat on the bones of many of the new CPRA rules.
A new state agency, the California Privacy Protection Agency, will be created, funded, and begin operations.
Because of the phased effective dates for CPRA’s provisions, businesses have time to revise their policies and prepare for the full weight of the CPRA. Of course, that does not account for whatever CPRA regulations the California Attorney General publishes, which we expect to be previewed perhaps as early as late 2021.
Jenner & Block has developed a checklist for clients to compare their existing CCPA privacy notices against the new requirements of the CPRA. If you need assistance preparing for the CPRA, please contact the authors.
Authors Explore Cases that Test Limits of the California Consumer Privacy Act
In a recent article published by The Recorder, Jenner & Block Partner Kate T. Spelman and Associates Vivian L. Bickford and Effiong G. Dampha examine class action cases that test the limits of the California Consumer Privacy Act, which took effect January 1. “These suits shed light on the various ways plaintiffs are testing the boundaries of the CCPA and its private right of action,” the authors observe. They then highlight several categories of these boundary-testing lawsuits.
To read the full article, titled "Class Actions Seek to Test the Limits of the CCPA's Private Right of Action," please click here.
Three Takeaways from Lendit 2020
By: Michael W. Ross
I recently attended LendIt’s 2020 conference, the largest Fintech conference of the year. Kudos to everyone at LendIt for successfully transitioning the conference to a remote platform – it was a great few days of speakers and topics including really slick tools for engagement and networking. In this post, I’m sharing rough notes on my top three takeaways from the sessions I attended. This is by no means a comprehensive recap, and, if you attended, I’d love to hear from you about what you thought.
Artificial Intelligence. First, artificial intelligence and machine learning are on everyone’s mind these days. From regulators to service providers to financial institutions, speakers honed in on the use of AI for everything from underwriting, to risk analysis, to loan servicing, to many other things. Everyone is talking about the risks and rewards of using these new tools, including how to hone their models and how much to involve a human touch. As I listened, the relevance of our prior writing and talks on the potential for enforcement activity in the area of AI was top of mind – it has stayed quite relevant. Check it out!
Serving the Underserved. Relatedly, almost everyone seems to be talking about how technology is helping improve access to credit and banking services to those previously cut out – not only the use of AI, but also the overall digitization of banking, payments, and credit. Thought leaders are focused on looking beyond the ordinary credit file; on the use of mobile services to reach new consumers; and on the growth of non-traditional payment platforms. Stay tuned for developments in this area, including the broadening of the “payments” world to include non-financial institutions.
Partnerships. Last, partnerships are all the rage. Financial institutions are buying startups, in addition to investing in technology themselves; smaller banks, community banks, and others are partnering to keep up with the latest tech trends; and regulators are focused on the third-party risk issues that partnerships raise, and also on allowing third parties to keep smaller banks competitive through partnerships. This area is not limited to true lender issues – especially keep an eye on the FDIC’s recent request for information on standard-setting for third-party service providers.
Again, these are just some blog thoughts from one attendee – please get in touch with your reactions and thoughts!