Consumer Protection Alert

Date: Feb 18, 2014


Connecticut Considers Following Federal Lead on Cadmium

Four years after adopting a law that limited cadmium content in children’s jewelry to 75 parts per million (ppm) effective July 2014, Connecticut’s legislature is holding a hearing on February 18 to consider a bill that would shift gears and follow the federal government’s lead, using limits based on the migratability of cadmium in case of accidental ingestion. The proposal, Raised Senate Bill No. 85, would adopt the national voluntary consensus standard on children’s jewelry, known as ASTM F2923-11. That standard was developed in response to an October 2010 paper produced by the staff of the U.S. Consumer Product Safety Commission (CPSC); the CPSC’s staff there emphatically rejected a flat content limit similar to the one Connecticut adopted. The agency’s staff instead recommended the use of migration tests to establish the level of hazard raised by chronic or acute exposure to cadmium. The Fashion Jewelry and Accessories Trade Association (FJATA) led the effort to develop the voluntary standard that addressed the risk posed by cadmium, which culminated in the adoption of the children’s jewelry standard in 2011. In 2012, the CPSC’s leadership voted to reject a petition that asked the agency to establish cadmium content limits, explaining that compliance with ASTM F2923-11 would “adequately reduce the risk of harm from exposure to cadmium,” and that the standard set “appropriate limits” and “testing methods” for soluble cadmium. If the Connecticut legislature adopts this bill, the voluntary standard limits would apply to children’s jewelry sold or made in Connecticut as of July 1, 2014, in lieu of the 75 ppm limit that is currently scheduled to go into effect.

FTC to Hold Roundtable on Clothing Care Labeling 

The Federal Trade Commission (FTC) announced last week that it will hold a roundtable to discuss proposed changes to its care labeling rule for clothing at the FTC’s conference center in Washington, DC, on March 28, 2014. The rule requires manufacturers and importers to attach labels with care instructions for drycleaning, washing, bleaching, drying, and ironing of garments. If adopted, the rule would allow businesses to use modernized labels across international borders.

The roundtable follows on a September 2012 request for comments on a proposed rule that would:

  • allow manufacturers and importers to include professional wetcleaning instructions for wetcleaning—an environmentally-friendly alternative to drycleaning—on labels if the garment can be professionally wetcleaned;
  • permit manufacturers to use updated ASTM or ISO symbols on labels in lieu of written instructions;
  • clarify what constitutes a reasonable basis for care instructions; and
  • update the definition of "dryclean" to reflect current practices and account for new solvents.

The roundtable was originally scheduled for last October, but was canceled because of the government shutdown. Requests to participate as a panelist at the March 28 roundtable are due by February 28, 2014.


States Adopt National Cybersecurity Frameworks

Virginia Governor Terry McAuliffe announced that the state will adopt the new voluntary Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) to help identify and communicate cybersecurity risks. Other states are taking similar steps; Maryland’s senate recently passed a bill requiring the state to use the federal framework, Hawaii’s governor promoted a staffer to be his chief adviser for technology and cybersecurity, and the National Association of State Chief Information Officers called for states to adopt the NIST framework “as a common language in which to build a strategic cybersecurity plan” that would address a major vulnerability in national security while protecting privacy and personal information.

The NIST Framework was developed in consultation with a broad array of private and public sector stakeholders. President Barack Obama announced the final version of the Cybersecurity Framework at the White House on February 12, 2014. Some corporate interests praised the standards, suggesting that the Framework would be widely adopted and perhaps used in determining supply chains. Cybersecurity has particular salience in the wake of recent breaches at major retailers. The Framework also has many critics; some suggested that it was too abstract, failing to even use the word “firewall,” a common component of network security. Likewise, some suggested that implementing the Framework would be a step backward for some companies. Others criticized its voluntary nature, saying that it will be difficult to gauge its adoption. Whatever one’s take is on the Framework, cybersecurity is only increasing in importance. Responsible companies across the supply chain should be assessing, implementing, and re-assessing security solutions often.

Retailers and Banks Join on Cybersecurity

In the wake of high-profile data breaches, retailers and banks are taking steps to enhance the security of consumers’ payment information. A group of associations, including the Retail Industry Leaders Association (RILA), National Retail Federation (NRF), Financial Services Roundtable (FSR), American Bankers Association (ABA), The Clearing House (TCH), and others announced that they were joining forces on cybersecurity. According to a joint press release, the partnership “will focus on exploring paths to increased information sharing, better card security technology, and maintaining the trust of customers.” One key element of a future partnership may be an information-sharing system similar to one the financial services industry uses, the Financial Services Information Sharing and Analysis Center (FS-ISAC).

The announcement comes after banks and retailers each blamed the other for what has increasingly seemed to be the relatively fraud-prone U.S. payments systems. Retailers have argued that the payment infrastructure should adopt a chip-and-PIN system, while bankers have argued that such a system would not have prevented the recent data breaches. The bankers have favored a chip-and-signature system instead. One point that all participants agree on is the need for a national data breach notification law to replace the patchwork of state laws that business now must navigate. While several national, preemptive data breach notification bills have been introduced over the years, none have passed.

Settlement on Facebook’s Social Ads Attacked by Interest Groups

Non-profit interest groups are attacking the proposed settlement of a class action suit against Facebook, Inc. (Fraley v. Facebook, Inc., Case No. CV-11-01726 RS (N.D. Cal.)), over the use of minors’ names and images online. The case concerns social ads—“Sponsored Stories”—in which a Facebook user’s name or profile picture appears indicating that the user “liked” the sponsor or its content on the social network. The settlement would distribute $20 million to class members and cy pres recipients, including $290,000 to the Campaign for a Commercial-Free Childhood (CCFC). But the CCFC sent an amicus curiae letter to the Ninth Circuit Court of Appeals supporting an appeal that Public Citizen filed objecting to the settlement. The groups argue that the settlement would violate state privacy laws, including California’s, with respect to children. Specifically, the settlement would permit Facebook to continue to post ads with users’ images but require the company to revise its privacy policy to state that all users consent to their images being used in ads. But the groups argue that minors’ images either should not be used at all or should not be used without explicit parental opt-in. A Facebook spokeswoman defended the settlement as one that “provides substantial benefits to everyone on Facebook, including teens and their parents, and goes beyond what any other company has done to provide consumers visibility into and control over their information in advertising.” Notably, the company announced last month that it would discontinue the type of ad that is the subject of the case.

FTC Reaches Another Settlement Over DOC Safe Harbor Compliance Claims

The FTC announced a proposed settlement with the children’s online entertainment company Fantage.com over the company’s claims that it complied with the U.S.-EU Safe Harbor Framework. To participate in the Framework, a company must self-certify with the U.S. Department of Commerce (DOC) annually to seven principles to meet the EU’s privacy adequacy standards. Fantage, which runs a multi-player online game, allegedly failed to renew its June 2011 Safe Harbor certification until January 2014, even though the company’s privacy policy stated that it complied with the Framework. This settlement adds to the growing list of companies targeted by the FTC for Safe Harbor enforcement actions. Just last month, the FTC announced that 12 other companies agreed to similar settlements. With the European Union still grappling with a new proposed privacy regulation to replace the current Privacy Directive, and with some data protection administrators and others criticizing the effectiveness of the DOC Safe Harbor, FTC enforcement is intended to bolster the credibility of this program.

For more information about privacy, data security, product safety, and other consumer protection–related issues, contact Sheila A. Millar at millar@khlaw.com or 202 434-4143; JC Walker at walker@khlaw.com or 202 434-4181; or Tracy P. Marshall at marshall@khlaw.com or 202 434-4234.