Clamshell compliance: California’s Rigid Plastic Packaging Container law

California remains on the forefront of sustainability and recycling requirements. A key restriction in California is the Rigid Plastic Packaging Container Law, which targets hard plastic product packaging (namely “clamshells”).  The law requires that product manufacturers reduce waste from covered packaging through several methods.

The California Department of Resources Recycling and Recovery, referred to as CalRecycle, administers the law and enforces its requirements. Non-compliance can subject a manufacturer to up to $100,000 in fines per year.

What the law covers

The law applies to packaging that is:

  • Made entirely of plastic (except for incidental portions of the packaging);
  • Inflexible in shape or form;
  • Capable of holding between eight ounces and five gallons of product;
  • Capable of at least one closure (i.e., being sealed shut during packaging).

These criteria exclude, for example, blister packs, plastic bags, plastic sleeves covering products (like an umbrella cover), and very small or very large product packaging.

The law also exempts specific types of products, including packaged hazardous material subject to US Department of Transportation Regulations, and foods, drugs, and cosmetics.

Who the law covers

The law applies to “product manufacturers,” defined as the company that “through its own action or through contract or control, is primarily responsible for causing a product to be produced…”  CalRecycle has issued regulations to clarify this definition, applying the following hierarchy for determining the manufacturer:

  • The brand holder;
  • The company with “control or influence over the design of the product”; and
  • The company with “primary control or influence over the design specifications” of the container.

Based on these criteria, it is likely that it many situations, the actual product manufacturer is not responsible for compliance – instead, it will fall to the private labeler (even if a manufacturer is supplying the same product to multiple private labelers).

How to comply

The law requires that manufacturers reduce waste from packaging through any of three methods:

  • Use of post-consumer recycled material in the packaging (at least 25% of the package);
  • Source reduction (reducing the size/amount of packaging by 10% over prior iterations of the same packaging); and
  • Packaging products in reusable containers (refillable at least five times).

Product manufacturers must be able to substantiate compliance with data on the packaging used. The regulations implementing the law provide detailed requirements for doing so.

The RPPC’s unusual enforcement approach

The law’s enforcement approach is highly unusual: CalRecycle annually audits randomly selected manufacturers, requiring them to certify compliance for the coming year. Here’s how the process works:

  • First, CalRecycle notifies a manufacturer that the law applies to it. After notification, the manufacturer must register with CalReycle within 90 days. Note that the law requires compliance whether a manufacturer has received this notification or has registered – but if a manufacturer has not received this notification and registered, it cannot be selected for a compliance audit.
  • Second, CalRecycle randomly selects several manufacturers from the pool of registered entities and provides notice that they may be required to certify compliance. CalRecycle sends these notices out one year in advance of the audit year (by January 31st of the preceding year).  Selected manufacturers are in the “Precertfication Phase,” and must acknowledge receipt of the the Precertification Notice within 90 days.
  • Third, from the pool of precertification manufacturers, CalRecycle selects the manufacturers it will audit. CalRecycle provides the lucky winners with notice of selection by March 31st of the year preceding the audit year.
  • Finally, audited manufacturers must certify compliance by April 1 of the year following the audit year. The regulations provided detailed information for calculating compliance for each of the compliance methods.

Timeline

While the phased nature of the certification process allows for time to come into compliance, a company failing to meet any deadlines, or ultimately being out of compliance, will be fined.  The maximum amount a company can be fined is $100,000 in a calendar year.  Companies have been fined tens of thousands of dollars for missing deadlines or failing to comply, and some have been fined multiple times.

Drone requirements continue to evolve

Back in 2015, the FAA promulgated various rules and regulations regarding the use of drones, which included a requirement to register all such aircraft. The FAA has subsequently finalized its rule for Small Unmanned Aircraft Systems, which took effect on August 29, 2016. The new rule offers safety regulations and limitations for unmanned drones weighing less than 55 pounds that conduct “non-hobbyist operations.”

This is particularly relevant because the past year has seen the rapid rise of unmanned aircraft, and various companies are experimenting with the use of drones in their commercial ventures.

This post provides a quick overview of the new rules and regulations relating to drones for commercial and recreational use. Keep an eye on this space for updates and further insight as FAA continues to implement the new rule.

Operational Requirements

The FAA’s final rule implements safety regulations for non-recreational use of unmanned aircraft weighing less than 55 pounds. Users who want to fly for commercial or other business uses must now comply with the following:

  • Weight limit of 55 pounds (inclusive of cargo)
  • Yield to other aircraft
  • Maximum limits on speed and altitude
  • Hazardous materials prohibited
  • Must remain within visual sight of the pilot – pilot cannot be mobile
  • No operation over individuals not directly participating in the flight
  • Only operated in daylight or twilight (if the drone has anti-collision lighting)
  • Flight may not cross state boundaries (with certain exceptions)

Pilot Certification

Drone operators must have a remote pilot airman certificate or be under the direct supervision of one who holds that certificate. To qualify for the certificate, a person must be at least 16 years old and pass a knowledge test and other training requirements.

FAA has issued a summary of the guidelines that is helpful.

Waiver Process

FAA also plans to implement a waiver process for some restrictions if the operator proves the proposed flight will be conducted safely under a waiver. The new FAA rule also allows drones to be legally used for commercial purposes without an approval process if the drones are operated by specified certified pilots in compliance with safety requirements. FAA expects to roll out a waiver and approval process in the coming months.

Drones for Recreational Use

The FAA’s new rule does not apply to drones flown as a hobby or for recreational purposes weighing between 0.55 and 55 pounds, so long as the drone is registered and flown in accordance with the Special Rule for Model Aircraft. Hobby or recreational drones weighing less than 0.55 pounds need not be registered. The FAA has interpreted “model aircraft” to exclude both commercial operations and flights “in furtherance of a business, or incidental to a person’s business.”

Congress expressly limits FAA’s authority over model aircraft so long as:

  • The aircraft is flown strictly for hobby or recreational use;
  • The aircraft is operated in accordance within specified safety guidelines;
  • The aircraft is no more than 55 pounds, unless otherwise certified;
  • When operated, the aircraft does not interfere with manned aircraft; and
  • When flown within 5 miles of an airport, prior notice is given to the airport operator and air control tower.

Second Circuit guts jury verdict with post-trial decertification

Given the low probability that a class action will go to trial and the high probability that a settlement favorable to plaintiffs and their attorneys will be reached after class certification, there is a consistent “race to certification” in many consumer class action matters. The plaintiffs’ bar frequently frames claims with an eye towards meeting Rule 23 requirements, with little regard to whether or not the evidence actually exists to prove the merits of the claims.

While many defendants are disheartened when a class is certified, a recent decision out of the Second Circuit reminds that certification is not the coup de gras of any defense, and plaintiffs are always at risk (even after trial), of losing this status.

In Mazzei v. The Money Store, plaintiff Joseph Mazzei brought claims against The Money Store (a loan servicer and mortgage lender), alleging breach of contract for the assessment of late fees after his defaulted loan was accelerated (i.e., the entire sum of principal and interest was due). Mazzei argued that “post-acceleration” late fees violated the terms of the mortgage loan.

Based on these claims, Mazzei sought and obtained certification of a national class of borrowers whose loans were either owned or serviced by The Money Store. He prevailed on his late fee claims at a jury trial, obtaining a class award of approximately $32 million plus prejudgment interest. However, after the jury verdict and before entry of final judgment, The Money Store successfully moved to decertify the class, on the grounds that Mazzei’s failure to prove privity of contract for absent class members failed to meet Rule 23 requirements of typicality and predominance. This ruling left Mazzei, although successful at trial, an award of only $133.80.

Unsurprisingly, Mazzei appealed the decertification, arguing that 1) decertification is unavailable after a jury trial, 2) decertification findings were incompatible with the Seventh Amendment, and 3) Rule 23 elements were satisfied. The Second Circuit ruled against Mazzei on all three grounds.

First, the Court found that decertification could be granted at any time prior to final judgment. The panel cited the “affirmative duty” of the district court to monitor its class decisions because the results of class proceedings are “binding on absent class members.” Rule 23, the Court held, not only authorized decertification after trial, but the process was “corollary” to the rule’s purpose.

The Court was also not persuaded that decertification after trial impugned any parties’ Seventh Amendment right to a jury trial. Mazzei was able to present his claims to the jury. And absent class members’ right to a jury trial was not impaired because they were still able to file individual claims, since the statute of limitations on any action was tolled up until decertification.

Finally, decertification was justified because the district court had the power to determine that the jury’s factual findings supporting certification were “seriously erroneous,” a “miscarriage of justice,” or “egregious.” The Second Circuit panel agreed with the district court’s assessment that Mazzei was not typical of class members whose loans were serviced (not owned) by The Money Store, and common issues did not predominate because fact-finders would have to look at every class member’s loan documents to determine whether there was privity of contract. Based on the lack of classwide evidence of privity of contract, Rule 23 was not satisfied.

The Court further refused to create subclasses of individuals whose loans were owned by The Money Store, and those whose loans were merely serviced by the company. There was no evidence in the record to enable the Court to determine what types of loans each of the class members had, making subclasses impossible to determine.

This decision is a powerful reminder that a class can be decertified at any stage in a litigation, enabling defendants to snatch victory from the jaws of defeat after a disfavorable jury verdict. Hopefully, plaintiffs will become more thoughtful about their cases, with the realization that making factual allegations to get past class certification will do them no good if they can’t back them up.

New PCI requirements for retailers

For retailers that accept credit or debit cards and use service providers, a new version of the PCI Data Security Standards (PCI DSS v3.2) will impose new requirements as of November 1, 2016.

The Payment Card Industry (PCI) Security Standards Council issued “clarifications” and “evolving requirements” in the new version. Clarifications are changes to ensure “that concise wording in the standard portrays the desired intent of the requirements.” Evolving requirements aim to “ensure that the standards are up to date with emerging threats and changes in the market.”  The Council also issued guidance as part of the new standards.

Altogether, there are 44 clarifications and 12 evolving requirements. Although every change can be  important, this post focuses on the 12 evolving requirements.

November 1, 2016 Compliance Date

  • Section 3: adopts a “minimum necessary” standard for Permanent Account Number (PAN) display. The display would usually be limited to only the last 4 digits of the PAN or, if a bank identification number is needed, only the first 6 digits of the PAN.
  • Section 8.3: requires multi-factor authentication for all access that is “individual non-console administrator access” and all remote access to the cardholder data environment. Note that the guidance specifies that multi-factor authorization is not required at both the system level and application level for any particular system component.
  • Section 8.3.2: requires multi-factor authentication for “all remote network access originating from outside the entity’s network [both user and administrator, and including third party access for support or maintenance].” Per the guidance, this requirement applies to any remote access “when that remote access could lead to access to the cardholder data environment.”  The guidance also recommends (but does not require) multi-factor authentication for all remote access to the entity’s network.

January 31, 2018 Compliance Date

While these new requirements have a long lead time, the new standards describe them as “best practices” until the compliance date.

  • Section 3.5.1: requires service providers to maintain a documented description of their cryptographic architecture. This documentation includes details of algorithms, protocols, and keys (key strength, expiry date, and usage). It also includes hardware security modules and secure cryptographic devices for key management. Service providers must maintain current documentation to help service providers detect missing keys and identify unauthenticated additions to the cryptographic architecture.
  • Section 6.4.6: mandates updated documentation, including network diagrams, system configurations, and vulnerability scanning for any new or changed systems and networks.
  • Section 8.3.1: requires multi-factor authentication for administrator non-console access into the cardholder data environment. Per the guidance, this requirement does not apply to application or system accounts performing automated functions.
  • Section 10.8: requires service providers to establish processes for timely detection and reporting of failures of critical security control systems, such as firewalls, anti-virus systems, physical access controls, and audit logging.
  • Section 10.8.1: requires service providers to respond in a timely fashion to failures of the critical security control systems.
  • Section 11.3.4.1: requires service providers that elect to use segmentation to test every six months and after changes to segmentation controls/methods. The tests are reviews of the twice-yearly (at least) penetration tests.
  • Section 12.4.1: requires service provider executive management to establish responsibility for protection of cardholder data and a PCI DSS compliance program, including a charter and communication to executive management.
  • Section 12.11: requires service providers to perform reviews (at least quarterly) to confirm that personnel are following security policies and operational procedures. These reviews must include:  (1) daily log reviews; (2) firewall rule-set reviews; (3) applying configuration standards to new systems; (4) responding to security alerts; and (5) change management processes.  Testing procedures include interviews of responsible personnel.
  • Section 12.11.1: requires service providers to document the quarterly review process in Section 12.11, including the results of the reviews and sign-off by the personnel assigned responsibility for the PCI DSS compliance program.

The mysterious world of green chemistry: Maine’s green chemistry law

Continuing our review of state green chemistry laws, Maine’s Safer Chemicals in Children’s Products Act primarily requires reporting the use of specified chemicals in certain children’s products based on risk and hazard criteria, although it may be used to restrict or ban use. Manufacturers of certain children’s products that contain specified chemicals must submit a one-time report to the Maine Department of Environmental Protection. The SCCP defines “manufacturers” as the domestic manufacturer or brand holder, and the importer or first domestic distributor if the manufacturer does not have a US presence.

Chemical Lists

The Department maintains three chemical lists based on risk and hazard criteria. The first list, “chemicals of concern,” includes approximately 1400 chemicals identified by other lists (such as those from EPA, the EU, and Proposition 65) as carcinogens, reproductive toxins, or endocrine disruptors. From this list, 49 chemicals make the second list, called “chemicals of high concern,” because they are found to be (1) present in human blood, breast milk, urine, or tissue; or (2) present in a home environment (e.g., in dust, indoor air, drinking water); or (3) added to or present in consumer products used in the home. Chemicals of high concern may then be placed on the third list, “priority chemicals,” based on factors such as pervasiveness of use, presence in the environment, and prohibition of use in other states.

Priority Chemicals

Priority chemicals are subject to reporting requirements and possibly other restrictions. The Department publishes these requirements in conjunction with adding a chemical to the priority chemicals list. Reports are required either for an intentionally-added priority chemical or the presence of a priority chemical above de minimis levels, defined as 100 parts per million. Please note that priority chemicals in a product above 100 ppm as the result of contamination do not require a report if the manufacturer has legitimate manufacturing control processes in place.

The current priority chemicals and requirements are:

  • Arsenic
  • Cadmium
  • Mercury

Manufacturers must report the presence of any of these chemicals above 100 parts per million in children’s accessories, bedding, childcare articles, clothing, cosmetics, costumes, craft supplies, footwear, games, jewelry, personal care products, safety seats, school supplies, and toys.

  • Bisphenol A

The sale of reusable food and beverage containers, baby food packaging, and infant formulate packaging made with BPA is prohibited.

Manufacturers must report the presence of BPA above 100 parts per million in toys, child care articles, and tableware.

  • Formaldehyde

Manufacturers must report the presence of any intentionally-added formaldehyde in children’s accessories, bedding, childcare articles, clothing, cosmetics, costumes, craft supplies, footwear, games, jewelry, personal care products, safety seats, school supplies, and toys.

  • Nonylphenol and Nonylphenol Ethoxylates

Manufacturers must report the present of NP/NPE above 100 ppm in household and commercial cleaning products, cosmetics, personal care products, and home maintenance products.

  • Phthalates

Manufactures must report the presence of any intentionally-added DEHP, DBP, DEP, or BBP in children’s clothing, footwear, craft supplies, cosmetics and personal care products, home cleaning products, furniture and furnishing, and accessories and jewelry, as well as building and home maintenance products with which children may have direct contact.

Reporting

If a report is required, manufacturers have 30 days after the product first becomes available for purchase in Maine to submit the report.

Report information includes:

  • Name and address of the manufacturer
  • Name, address, and phone number of a contact person for the manufacturer
  • A description of the product, including size of the product/component that contains the chemical
  • Whether it is mouthable (less than 5 cm)
  • Units sold/distributed in Maine
  • The amount of formaldehyde in the product
  • The function of formaldehyde in the product
  • Any other relevant information (e.g., exposure assessments of the product).

The Department has published guidance on reporting and chemical-specific reporting forms.

The Department also imposes an unspecified “reporting fee” intended to cover the cost of collecting and managing the information. There is little information about this fee, and the Department’s guidance suggests contacting Kerri Malinowski, kerri.malinowski@maine.gov, with any questions regarding the applicability and amount of the fee.

Enforcement

If the Department identifies an unreported product containing a priority chemical, it will first send a notification to the manufacturer. The manufacturer then has an opportunity to rebut the Department’s position. The manufacturer could, for example, identify the chemical as a contaminant and describe its manufacturing control processes.

No fines or penalties are specified in the statute or guidance, but the statute expressly prohibits the sale of products within the state if not reported. The Department’s public enforcement reports contain no enforcement actions to date. Although not specified, the Department could pursue penalties under Maine’s general enforcement provisions for environmental laws, which authorizes civil penalties of up to $10,000 per violation per day.

Update: FTC gets $13.4 million judgment against BlueHippo

 

Updating a prior post, on May 2, 2016, the Federal Trade Commission (FTC) announced its receipt of a $13.4 million judgment against the CEO of BlueHippo, after the Second Circuit overturned the district court’s determination that BlueHippo’s damages were limited to $600,000 in 2014.

BlueHippo marketed computers and electronics to consumers regardless of their credit history, using an installment payment method. If a consumer missed an installment payment, BlueHippo represented that consumers could convert installments already paid to credits, with which they could buy other products from BlueHippo’s online store. The catch is that allegedly, consumers’ use of the credits was significantly restricted and the credits could not be used to cover shipping and other similar fees.

As a result, the FTC charged BlueHippo with deception under Section 5 of the FTC Act, and the parties entered into a consent order to resolve the charge.

The FTC later alleged that BlueHippo violated the consent order by misrepresenting its consumer financing of the computers, its failure to disclose its store credit policy, and its conditioning sales upon mandatory pre-authorized electronic funds transfer from consumers. The FTC sought $14 million in damages, based upon the gross receipts of BlueHippo’s 55,892 customers.

The Second Circuit upheld the FTC’s $14 million claim in 2014, holding that the “FTC is entitled to a presumption of consumer reliance upon showing that (1) the defendant made material misrepresentations or omissions that ‘were of a kind usually relied upon by reasonable prudent persons’; (2) the misrepresentations or omissions were widely disseminated; and (3) consumers actually purchased the defendants’ products.”

The Second Circuit remanded the matter to the trial court, and in April of 2016, the trial court found that BlueHippo and its CEO were in contempt of the court’s order, entering a judgment against the CEO for $13.4 million.

Why not the full $14 million? Certain amounts were deducted from the total. Ultimately, the parties agreed on the amount BlueHippo paid in cash refunds, and the court convinced the FTC to agree with the defendant’s computation of state settlement payments. The court also dismissed as “speculative” the defendant’s claim for discovery that there were some states in which no consumers were charged fees.

That last point is an important one. The FTC’s presumption of consumer harm not only resulted in the original $14 million court order, but also formed the basis of the $13.4 million contempt order as well as the denial of discovery on whether consumers were charged fees.

Prop 65 safe harbor level for BPA finalized

Following the California Office of Environmental Health Hazard Assessment’s proposed regulations for temporary point-of-sale warnings for BPA exposures from canned and bottled foods and beverages, this week OEHHA finalized the Maximum Allowable Dose Level for BPA of 3 micrograms per day from dermal exposure from solid materials. The MADL will go into effect on October 1, 2016.

Once in effect, this will be the rate of exposure at which a warning will be required for dermal exposure to BPA.

Now that the first BPA 60-day notice of violation is out, it remains to be seen whether this seemingly low MADL for just dermal absorption will result in significant numbers of enforcement actions. Proving that an average user is not exposed to 3 µg/day of BPA just from touching a product may be difficult for defendants, unlike, for example, lead cases, in which ingestion through hand-to-mouth activities often drives exposure and has limited the types of products ripe for Proposition 65 claims.

The dermal MADL also provides little to no guidance for food and beverage manufacturers, as there still remains no safe harbor level for ingestion.

The seal is broken on BPA

After significant industry speculation over what consumer products would be the first targets for Proposition 65 BPA enforcement, the Center for Environmental Health issued the first BPA 60-day notice of violation on June 14, 2016, a little over a month after BPA’s listing anniversary date. The notice is not for canned food; it is not for sunglasses. The inaugural notice is for a thermal-printed receipt provided to the Center for Environmental Health after (presumably) purchasing food at a Del Taco.

2016-00570_Page_1

Thermal printing is widely used to print receipts because these printers are both fast and do not require ink.  These printers work by heating specially prepared receipt paper in a precise fashion to produce both images and characters.  Some advocacy groups had previously taken-up the issue of BPA in thermal receipt paper, and there are receipt papers on the market that are specifically marketed as being BPA free.  We don’t know whether this signifies the start of a trend for thermal receipt paper claims, but we will continue to watch for more notices.

We will also be watching how this initial notice plays out – typically, exposure analyses for lead and phthalates have focused on the hand-to-mouth exposure pathway. With a proposed safe harbor level of 3 µg/day for BPA, we are interested to see whether dermal exposure alone is enough to cause a significant exposure.

Congress passes TSCA reform bill – no relief from Prop 65

After decades of stalled efforts, the House and Senate have both passed TSCA reform legislation. The bill, the Frank R. Lautenberg Chemical Safety for the 21st Century Act (H.R. 2576), is the result of extensive negotiations between the House and Senate to reconcile differences between competing TSCA reform bills in both houses. We expect the President to sign the bill in short order.

While the bill is welcome reform of a failed law, it’s primary impact will be to manufacturers, as it requires review of existing chemicals in use (eliminating TSCA’s grandfathering) and new chemicals prior to introduction into the market. But its effects will likely be felt all throughout the supply chain, as EPA has the authority to ban, phase-out, or restrict chemicals that pose an unreasonable risk to health or the environment.

Perhaps most important to readers of this blog, the reform bill does not preempt any chemicals management laws in effect prior to April 22, 2016, or any actions taken under laws in effect as of 2003 – it does not preempt Proposition 65, or most of the patchwork of state green chemistry laws already in effect.

EPA will need to undertake extensive rulemaking to implement the changes, and we will keep you updated on those rules as they develop.

Key Provisions

EPA Review of Chemicals – the bill mandates EPA review of new and existing chemicals in commerce to determine whether they pose an unreasonable risk to health or the environment. EPA may only consider health and environmental impact data in making this threshold determination – it may not look at economic impacts or undertake a cost/benefit analysis, which was a common complaint about the existing TSCA regime. New chemicals may not be introduced into the US market without EPA review, and EPA must prioritize existing chemicals for ongoing review (at least 20 “high priority” existing chemicals within three and half years).

Regulation of Chemicals – if EPA determines a chemical poses an unreasonable risk, it must impose regulations to eliminate the risk. This can include bans, phase-outs, or restrictions on use. Unlike the threshold determination, EPA must consider the costs and benefits of a given regulatory response, as well as the availability of alternatives. Exemptions exist for restrictions that would disrupt the national economy and for replacement parts.

Federal Preemption – the bill preempts state or local chemical restrictions except for statutes and regulations existing prior to April 22, 2016 and actions taken under laws in effect as of August 31, 2003 (for example, OEHHA can add a new chemical to the Proposition 65 list because of the August 2003 preemption date). Preemption includes only restrictions – it does not extend to state laws that require reporting or monitoring. Under these terms, none of the major chemicals managements laws appear to be preempted, including:

Confidential Business Information – the bill moves away from TSCA’s current broad protections for CBI claims. All CBI claims for new chemicals must be substantiated and expire after 10 years, unless re-substantiated. The bill specifies some types of information as presumptively CBI (e.g., mixture composition, sales and marketing information), but expressly excludes health and safety data from CBI protection. EPA must also look at existing CBI claims to determine whether such claims are substantiated and should remain.

Fees and Penalties – the bill imposes fees on industry to cover (some of) the costs of implementation, up to $25 million annually. We expect new chemical review applications will require payment of fees to cover EPA’s costs. The bill also provides for maximum civil penalties of $37,500 per violation, and maximum criminal penalties of $50,000 per violation.

LexBlog