Retailers must upgrade online credit card processing security by June 30

By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Note also that Nevada law requires compliance with the Payment Card Industry Data Security Standards (PCI DSS) with respect to Nevada cardholders.

The reason for the change is the PCI DSS, when version 3.1 was issued in April of 2015. Encryption protocol TLS 1.0 dates back to 1999, and was vulnerable to a variety of cyberattacks, including POODLE in 2014. TLS 1.1 was issued in 2006, and TLS 1.2 was issued in 2008. Any server using any Windows Server version older than 2008 will not support either TLS 1.1 or 1.2, so upgrading encryption may involve more than a quick protocol fix. The PCI Security Standard Council has offered guidance on moving to higher encryption protocols, including an infographic.

Retailers who had previously upgraded their on-premises equipment with credit card chip readers have probably already seen fraudulent credit card charges decrease. As of February 2018, VISA reported that this type of fraud had decreased 70% in the U.S. as of September 2017, as compared to fraud reported in December 2015. Visa also reported that EMV (Europay, MasterCard, VISA) chip cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

Retailers who need to upgrade their encryption protocols have no time to waste. Retailers using third-party processors should check to make sure the processor will meet the deadline.

California proposes to exempt coffee from Prop 65 warning requirement

On April 12, 2018, we wrote about the decision in Council for Research on Education in Toxics v. Starbucks, in which a California Superior Court judge rejected the evidence presented by coffee roasters and retailers to demonstrate that exposures to acrylamide in coffee were exempt from Proposition 65’s warning requirement. With a motion for permanent injunction to be heard on July 31, despite widespread criticism of the basis of the court’s ruling (see, e.g., articles from NPR, CBS News, Self Magazine, and WebMD), it appeared that Prop 65 warnings for coffee would soon proliferate in California.

On June 18, 2018, the California Environmental Protection Office of Health Hazard Assessment (OEHHA) responded to the court’s ruling by proposing a regulation that would state that exposures to Proposition 65 listed chemicals in coffee, such as acrylamide, that are produced as part of the processes of roasting and brewing coffee, pose no significant risk of cancer.

The Agency’s rationale for exempting chemicals in coffee from Prop 65

The Initial Statement of Reasons for the proposed regulation reviewed the findings of the International Agency for Research on Cancer’s (IARC) Monograph on Coffee, Mate, and Very Hot Beverages and American Cancer Society statistics for California, to conclude that coffee reduces cancer risk:

In total, there is moderate or strong evidence that coffee either reduces risk or does not affect risk of cancers that account for 43 percent of cancers diagnosed in women and 29 percent of cancers diagnosed in men in California. There was also moderate evidence that coffee drinking reduced the risk of colorectal adenoma, a precursor lesion for a cancer that accounts for 6 percent of cancer diagnoses. Consistent results are found when US National Cancer Institute statistics for cancer diagnoses are used. Coffee drinking was not found to increase or probably increase any types of cancer in men or women.

OEHHA contrasted the complex mixture of chemicals in coffee from other complex mixtures that have been found to be carcinogenic to humans, including tobacco smoke, diesel engine exhaust, and alcoholic beverages, and pointed to mechanisms by which various anticarcinogens in coffee may produce such distinctions. Notably, the proposed exemption applies to all chemicals in coffee that are created as a result of the roasting or brewing processes, not just acrylamide, which was the subject of the CERT litigation.

What’s Next?

OEHHA has set a public hearing for August 16, with the public comment period to close by August 30. There is no express timetable for consideration of the public comments and proposal of a final regulation at this point.

Implications for the Regulation

OEHHA clearly had the court’s ruling in mind as a basis for proposing this exemption. According to the agency:

The effect of [the court’s] ruling is that exposures to acrylamide in coffee may require Proposition 65 warnings. OEHHA understands that this proposed regulation, if adopted, may cause businesses to ask courts to modify consent judgments or to seek reconsideration of court rulings and may result in businesses that are voluntarily providing warnings to choose not to do so.

It is too early to determine how this regulation, if adopted, will affect the litigation. Because OEHHA intended for the regulation to serve as a basis for reconsideration, it would appear to be a sound legal basis for such an outcome, which we expect the defense to press vigorously. While the court will hear CERT’s request for a permanent injunction on July 31, it has not yet set a date for the resumption of the trial on CERT’s claim for civil penalties.

Interestingly, OEHHA’s approach of addressing cancer risk from coffee containing acrylamide and other carcinogens–as opposed to an abstract consideration of the amount acrylamide in coffee to which consumers are exposed–was deemed by the court to be insufficient under OEHHA’s “no significant risk” regulations, when presented by the defense in the first phase of the trial. The rationale for this regulatory action by OEHHA appears to cast serious doubt on that legal analysis.

Companies not involved in the litigation who sell coffee in California may breathe a bit easier, knowing that there is at least a very open question whether follow-on litigation may be brought by CERT or others over exposure to acrylamide in coffee. We would hope that the Attorney General’s office will closely scrutinize any certificate of merit offered by a private enforcer in connection with a 60-day notice alleging exposure to acrylamide or other listed chemicals in coffee (including furfuryl alcohol), in light of OEHHA’s findings on the subject. And, hopefully, consumers can relax with their morning cup of Joe without fear that they are increasing their cancer risk.

LA judge rules that coffee requires a Proposition 65 warning for acrylamide

On March 28, 2018, Superior Court Judge Elihu Berle issued a proposed statement of decision that would require coffee roasters and retailers to provide Proposition 65 cancer warnings for coffee sold in California.

What the case is about

Plaintiff Council for Research and Education on Toxics (CERT) asserts that approximately 70 coffee roasters and retailers are required to provide cancer warnings for exposure to acrylamide in coffee. Acrylamide is listed as a carcinogen based on laboratory animal studies, but has not been proven to cause cancer in humans. Acrylamide is not added to coffee, but is formed in a complex chemical reaction when coffee is roasted (as is the case with other foods such as French fries and potato chips, in which acrylamide is formed when they are baked or fried).

Prop 65 liability issues

Once a plaintiff demonstrates an exposure to a listed chemical, Prop 65 puts the burden on defendants to demonstrate that the amount of exposure to a carcinogen such as acrylamide falls below the level at which a warning is required. For carcinogens, that level is defined as the no significant risk level, which is a default level of one excess case of cancer in 100,000 persons exposed. A business may seek to apply an “alternative significant risk level” (ASRL), where justified by “sound considerations of public health.” One such consideration is the so-called “cooking exemption”: “Where chemicals in food are produced by cooking necessary to render the food palatable or to avoid microbiological contamination.”

Phased dispute

The decision followed an initial phase of trial, in which Judge Berle found that the roasters failed to prove that:

  • the level of acrylamide in coffee was below the NSRL;
  • requiring a Proposition 65 warning for exposure to acrylamide in coffee violated the First Amendment by imposing misleading speech because coffee use was not associated with an increased risk of cancer, and was actually associated with a decreased risk of certain cancers; and
  • the Proposition 65 warning requirement was preempted by federal law.

Before the second phase of trial, the court granted summary adjudication to the plaintiff, finding that virtually all of the defendants knowingly and intentionally exposed individuals to acrylamide in coffee without providing a warning, on at least one occasion.

The second phase

The issues remaining to be tried were the ASRL defense, and the issues of civil penalties and injunctive relief, if the defendants did not prevail. In the first part of this phase, the parties submitted expert testimony on the ASRL defense.

The defense argued that the “cooking exception”—where chemicals in food are produced by cooking necessary to render the food palatable or to avoid microbiological contamination—supported a de facto defense, since acrylamide was formed during the roasting process. Roasting is both necessary to render coffee palatable and to destroy microbiological contamination. The defense argued alternatively that substantial epidemiological literature supported the concept that coffee had significant health benefits, justifying a lower risk level, and relied in part on the testimony of former FDA Commissioner David Kessler to support this argument. The defense also introduced testimony about the amount of the exposure based on testing of over 500 samples of coffee performed at Covance Laboratories and analyzed by an expert in exposure assessment. Plaintiff presented no evidence to counter this evidence.

Judge Berle rejected the defense’s assertion that the cooking exception was sufficient to avoid liability without quantifying the amount of the exposure. He also rejected Commissioner Kessler’s testimony about alternative risk levels, and the defense’s exposure assessment evidence, finding that the Covance data was not shown to be reliable because it was a novel technique that the scientific community has not yet generally accepted. He alternatively found that the Covance lab director and the expert were not credible, although he did not explain his reasoning on these findings.

Going forward

The defense will file objections to the proposed statement of decision shortly, although there is no reason to believe that Judge Berle will change his decision. The final phase of the dispute is not yet completed, as there will be a trial for the court to take evidence on the issues of civil penalties and injunctive relief. The potential exposure in this case is astronomical, with millions of units of coffee sold each year, and a maximum penalty of up to $2,500 per violation per day. It is anticipated that plaintiff will move for an injunction requiring the defendants to provide Proposition 65 warnings pending the conclusion of the case and appeal. There is no date yet set for this remedies phase, which could take upwards of two months to complete, based on the number of companies involved in the litigation.

The year in review: cosmetics remain target of California VOC enforcement

A year-end review of the California Air Resource Board’s published enforcement settlements highlights that cosmetics remain a priority for ARB under the General Consumer Products Regulation, which limits the amount of volatile organic compounds (VOC) in consumer products.

The General Consumer Products Regulation

The ARB General Consumer Products Regulation sets VOC limits (percent by weight) for a variety of consumer products, including hair styling products, personal fragrance products, and nail care products. Covered consumer products may not be sold, supplied, offered for sale, or manufactured for sale in California unless they meet the applicable limit.

For strict liability offenses, penalties can be assessed at up to $5,000 per day, or up to $10,000 per day, but at this higher maximum, the alleged violator may assert an affirmative defense that the violation was not the result of intentional or negligent conduct. Generally, ARB seems to pursue the $5,000 threshold for strict liability violations. Negligent violations are subject to $25,000 per day per violation.

(As a quick aside, the Legislature recently amended the Health and Safety Code to increase the maximum for strict liability violations from $1,000 to 5,000 per day, effective January 1, 2018).

ARB enforcement

ARB’s process for enforcement starts with market surveillance, in which it purchases products, tests them for VOC content, and upon finding a violation, initiates an informal investigation. This includes requesting sales data from the domestic manufacturer, importer, or private labeler, as well as any mitigating information. ARB will then propose a penalty settlement amount based on the following formula, and this proposal serves as the starting point for negotiations.

For first time violations, ARB has developed an administrative penalty formula based on excess tons of VOC emitted from the offending product. Under this approach, ARB seeks a penalty of $22,000 per excess ton of VOC.  The floor for de minimis violations tends to be $3,000. For repeat violations or first time violations with aggravating circumstances, ARB will use the “per day” penalty scheme set forth above, seeking penalties for each day the product was available for sale in California. ARB will base the per day penalty amount on a sliding scale, taking into account various penalty factors, including past violations, remedial measures, and economic hardship. ARB has published an enforcement policy document outlining its approach to enforcement.

Cosmetics settlements

Since 2016 (we are fudging the “year in review” concept a little bit to provide more meaningful data), ARB has settled 23 cases involving cosmetic products, primarily for hair styling products and nail polish removers. The alleged violations ranged from 0.078 to 9.81 tons in excess VOC emissions (there was one de minimis violation, which we assigned a tonnage of 0.001), and the penalties ranged from $3,000 to $199,500:

In 17 out of the 23 settlements, ARB reduced the penalties for first time violators who cooperated in ARB’s investigation. ARB also factored in economic or financial hardship to reduce penalties in three settlements.

All told, ARB collected nearly $650,000 from cosmetics manufacturers and private labelers during that span (for reference, ARB collected a total of $1.3 million in 2016 from all Consumer Product regulation settlements combined).

E-A-G-L-E-S EAGLES!!!!

New security requirements issued for credit card payments on mobile devices

Check out this new post from my colleague, Sue Ross, covering new standards for mobile device credit card payments, including at retail stores. The Payment Card Industry (PCI) Security Standards Council recently announced the new standards, which apply to PIN entry transactions on smartphones and tablets used at point-of-sale. The post is published in Norton Rose Fulbright’s Data Protection Report.

Trump FDA relaxes FSMA enforcement

On Januay 5, 2018, the FDA announced that it will relax enforcement of the Food Safety Modernization Act in specified areas. Our colleagues at the Norton Rose Fulbright Health Law Pulse have put together a brief summary and analysis explaining the announcement, which is likely to have impacts on retailers and their food contact substance suppliers.

CPSC finalizes phthalate rule that may cause headaches for imports

The U.S. Consumer Product Safety Commission has finally published its Final Rule on phthalates. CPSC first proposed the rule nearly three years ago, and its publication brings to eight the number of phthalates included in CPSC’s consumer product safety standard for children’s toys and child care articles.

The rule is effective April 25, 2018 – but in a move that is likely to have serious implications for importers of record, it applies to children’s toys and child care articles domestically manufactured or imported on or after that date, regardless of date of manufacture. These products will need to be tested for all eight phthalates by a third party CPSC-approved testing lab and certified as compliant by the manufacturer or importer of record. Importers of record will need to consider how to approach certification if they import products with significant gaps between time of manufacture overseas and importation.

What changed?

The current version of Section 108 prohibits the phthalates DEHP, DBP, and BBP in concentrations above 0.1 percent (1,000 parts per million) in children’s toys and child care articles. CPSIA defines a children’s toy as “a consumer product designed or intended by the manufacturer for a child who is 12 years old or younger for use by the child when the child plays.” It defines a child care article as “a consumer product designed or intended by the manufacturer to facilitate sleep or the feeding of children age 3 and younger, or to help such children with sucking or teething.”

The Final Rule now also restricts the following five phthalates to 1,000 ppm:

  • DINP
  • DIBP
  • DPENP
  • DHEXP
  • DCHP

Import disaster

With regard to the issue of import date, in its rulemaking file, CPSC stated that it “expects that the rule will require minimal changes for manufacturers and testing laboratories. Therefore 180 days from publication in the Federal Register should be sufficient time for the rule to take effect.”  On the contrary, we expect CPSC and CBP will have a mess on their hands in April.

Proposition 65 Listed Chemical update

Here is the latest roundup of Proposition 65 chemical issues looming on the horizon for consumer products. Reminder: warnings are required 12 months after the listing effective date, assuming that there is an exposure, and the exposure exceeds the level that requires a warning:

Listed effective Oct. 27, 2017:

  • N,N-Dimethylformamide (DMF), CAS No. 68-12-2, used in leather tanning, production of plastics and acrylic fibers, and manufacture of adhesives, synthetic leathers, and surface coatings.
  • 2-Mercaptobenzothiazole (MBT), CAS No. 149-30-4, used in vulcanization of rubber and dopamine beta-hydroxylase inhibition, and used for antibacterial and antifungal purposes.
  • Tetrabromobisphenol A (TBBPA), CAS No. 79-94-7, used as a reactive flame retardant to produce a bromine-containing epoxy resin and polycarbonate, an intermediate for synthesis of other complex flame retardants, and an additive flame retardant for ABS, HIPS, unsaturated polyester rigid polyurethane foams, adhesives and coatings.

Listed effective Nov. 10, 2017:

  • Perfluorooctanoic acid (PFOA), CAS No. 335-67-1, surfactant used in a variety of consumer products, including carpets, textiles, leather, non-stick cookware, and paper coatings used in food packaging, to confer stain, grease and water resistance; PFOA is used in the production of fluorpolymers.
  • Perfluorooctane sulfonate (PFOS), CAS No. 1763-23-1, surfactant used in a variety of consumer products, including carpets, textiles, leather, non-stick cookware, and paper coatings used in food packaging, to confer stain, grease and water resistance.

 

California enacts law requiring cleaning product ingredient disclosures

California has enacted Senate Bill 258, the “Cleaning Products Right to Know Act of 2017.” SB 258 requires cleaning product manufacturers to disclose the ingredients of their products to consumers. The bill is a victory for disclosure advocates after many failed attempts at a California “right-to-know.” The first disclosure requirements take effect for products manufactured on and after January 1, 2020.

Disclosure Requirements

SB 258 requires ingredient disclosure in two ways – online disclosures and product labeling. Manufacturers must comply with both requirements, although the compliance dates are phased in.

Online disclosures

Manufacturers of cleaning products sold in California must post the following information on their websites for each product:

  • A list of “intentionally added” ingredients in the product;
  • A list of all “nonfunctional constituents” present in the designated product at a concentration at or above 0.01 percent (100 parts per million);
  • The Chemical Abstracts Service (CAS) chemical identification number for all listed chemicals;
  • The functional purpose served by each intentionally added ingredient;
  • Hyperlinks to government information websites for chemicals, such as the Office of Environmental Health Hazard Assessment Proposition 65 consumer information website; and
  • A hyperlink to the Safety Data Sheet (SDS) for each product.

An “intentionally added” ingredient is a chemical that a manufacturer has added to a designated product that has a functional or technical effect. “Nonfunctional constituents” are “incidental component[s] of an intentionally added ingredient, a breakdown product of an intentionally added ingredient, or a byproduct of the manufacturing process that has no functional or technical effect on the designated product.”

This requirement applies to designated products sold in California on or after January 1, 2020, unless they are manufactured prior to that date and are marked with the manufacture date (date codes are permissible). In addition, designated chemicals appearing on the California Proposition 65 list do not need to be listed on the website until January 1, 2023.

Product labeling

Manufacturers of cleaning products sold in California must also include on the label for each product:

  • A list of “intentionally added” ingredients in the product that are currently listed on any of a number of well-known lists of designated toxins, carcinogens, chemicals of high concern, etc.; and
  • The manufacturer’s toll-free telephone number and internet web site address.

The Act specifically identifies 23 chemical lists, including:

  • California Proposition 65;
  • Washington Department of Ecology’s PBT chemicals;
  • Chemicals included in the EU Candidate List of Substances of Very High Concern (SVHC); and
  • Carcinogens identified by the International Agency for Research on Cancer (IARC).

The labeling requirement does not apply to contaminants, in contrast to the online disclosure requirement.

If a manufacturer cannot list all of the required information on the label, it must provide a statement directing consumers to a web address or toll free number for complete ingredient information. Manufacturers may also provide information via developing consumer information technology, such as QR codes or other electronic links.

Who must comply?

SB 258 applies to “manufacturers” of “designated products.”

A “manufacturer” is a “person or entity who manufactures the designated product and whose name appears on the product label” or a “person or entity who the product is manufactured for or distributed by, as identified on the product label under to the federal Fair Packaging and Labeling Act.”

A “designated product” is a “finished product that is an air care product, automotive product, general cleaning product, or a polish or floor maintenance product used primarily for janitorial, domestic, or institutional cleaning purposes.”

Exemptions

SB 258 does not apply to:

  • Foods, drugs, and cosmetics, including personal care items such as toothpaste, shampoo, and hand soap;
  • Industrial products manufactured for and exclusively used in:
    • Oil and gas production.
    • Steel production.
    • Heavy industry manufacturing.
    • Industrial water treatment.
    • Industrial textile maintenance and processing other than industrial laundering.
    • Food and beverage processing and packaging.
    • Other industrial manufacturing processes.

Exceptions for “Confidential Business Information”

The Act provides some slight exceptions for “confidential business information,” but does not permit CBI claims to cover a chemical ingredient appearing on any of the designated lists of chemicals identified as causing harm to human health or the environment and certain fragrance allergens. Beyond those designated list chemicals, an ingredient may be protected as CBI if it is “a claim [that] has been approved by the United States Environmental Protection Agency (US EPA) for inclusion on the Toxic Substances Control Act (TSCA) Confidential Inventory, or for which the manufacturer or its suppliers claim protection under the Uniform Trade Secrets Act.” The CBI provisions are complex and should be consulted in detail when assessing compliance approaches to the Act.

Requirements for Employers

SB 258 also adds a requirement for employers to make the ingredient information listed on a manufacturer’s website available to employees in the workplace if the employer is already required to make safety data sheets/SDS readily accessible employees.

Enforcement

SB 258 does included a specific enforcement provision, and more general enforcement provisions in the Health and Safety Code appear to be inapplicable. At a minimum, we could see the Attorney General or district or city attorneys enforcing violations under California’s Unfair Competition Law, but we will be on the lookout for more guidance from the state on enforcement.

 

Oregon children’s product reporting instructions and portal go live

With less than three months to go before the first biennial reporting deadline, the Oregon Health Authority has opened its reporting portal and issued instructions for reporting under the Oregon Toxic Free Kids Act. The Act requires manufacturers (or importers into the state) to report the existence of “High Priority Chemicals of Concern for Children’s Health” (HPCCCH) contained in children’s products offered for sale in Oregon, if the HPCCCH are intentionally added above de minimis levels or are present as contaminants above 100 parts per million. The first reporting deadline is January 1, 2018, for all covered products sold offered for sale or sold in the state in 2017.

Manufacturers are “any person that produces a children’s product or an importer or domestic distributor of a children’s product.” An importer is “the owner of the children’s product.”

“Children’s products” are:

(A) Any of the following products that are made for, marketed for use by or marketed to children under 12 years of age:

(i) A product designed or intended by the manufacturer to facilitate sucking, teething, sleep, relaxation, feeding or drinking.

(ii) Children’s clothing and footwear.

(iii) Car seats.

(iv) Children’s cosmetics.

(v) Children’s jewelry.

(vi) Toys.

The Act specifically exempts a number of products, ranging from athletic shoes with cleats/spikes to bicycles to scooters.

The reporting form and required information appear to track closely to the Washington Children’s Safe Products Act. Key differences are that:

  • Reporting entities must pay a $250 fee for each HPCCCH reported, regardless of how many different products contain that HPCCCH; and
  • There is NO exception for inaccessible components.

To report, a manufacturer/importer must first fill out a “Notice Template” identifying:

  • Manufacturer/importer
  • Product brick
  • Component name
  • Chemical name and CAS number of each HPCCCH
  • Concentration range
  • Chemical function
  • Target age
  • Number of bricks sold in Oregon in 2017; and
  • Number of bricks offered for sale in Oregon in 2017.

The Notice Template is a downloadable spreadsheet.

Second, the manufacturer/importer must submit the appropriate fee amount (by check or credit/debit) to the OHA (as noted above, each HPCCCH requires a $250 payment, regardless of how many product bricks contain that HPCCCH).

Finally, the manufacturer/importer must go to the OHA reporting portal to upload and submit the completed Notice Template and payment receipt ID.

LexBlog