Will new House majority lead to a federal supply chain transparency law?

Will Troutman (US)Phil Di Tullio (US)By Will Troutman (US) and Phil Di Tullio (US) on Posted in General

Privately, companies have long self-regulated supply chains to prevent human trafficking, forced labor, and child exploitation. Meanwhile, governmental efforts have lagged in the public sphere. But the past few years have shown a marked change. California, the United Kingdom, France, and Australia have enacted legislation requiring companies to publicly disclose the steps they are taking to eradicate slavery and human trafficking in their operations and supply chains for each financial year. Canada is currently considering similar legislation.

If at first you don’t succeed….

While the US government has not yet passed a comparable law, it is not for lack of trying—the Congressional Human Trafficking Caucus has introduced disclosure legislation at least five times since 2011—most recently this past October. The prior legislation, like its predecessors, uses the Securities Exchange Act as the lever to require all public companies with annual worldwide revenue over $100 million to disclose prescribed information to the SEC. In addition to this information being public via the SEC, the prior legislation would also require covered companies to publish the information on their websites. The disclosures would include all policies and measures a company is taking to identify, address, and remedy human trafficking, forced labor, and child exploitation occurring within its supply chain, including whether a company:

  • Maintains policies to identify and eliminate these practices within its supply chain
  • Requires downstream and upstream contractors to attest that the materials and labor used to manufacture its products are in compliance with laws and corporate standards regarding these practices
  • Implements any internal accountability standards and supply chain reporting procedures to address violations within the supply chain
  • Offers training to contractors within its supply chain
  • Verifies contractor compliance with relevant laws and corporate standards
  • Takes remedial actions if it becomes aware of a violation, and what those actions might be

Borrowing from existing law

The bill is strikingly similar to California’s Transparency in Supply Chains Act. The California law requires website disclosures of efforts to eradicate slavery and human trafficking from its direct supply chain, including information on verification, auditing, internal accountability, and training. California’s law is more limited in scope than the federal efforts, as it applies only to retailers and manufacturers doing business in California with annual worldwide revenue over $100 million—rather than any public company.

We expect that a similar bill will be introduced in the House this year, with its new Democratic majority. While the last iteration of the bill was dead-on-arrival in the lame duck Congress, the ushering in of a new session—and importantly a new Democratic majority—makes it far more likely that a similar version of this bill may become law within the next two years. Getting out of the House may be all that is needed to finally push this bill into law, as the prior efforts have all had bi-partisan co-sponsors.

Such a vast expansion of mandatory corporate disclosures would create not only additional legal obligations for covered companies, but could also have significant implications on social responsibility efforts, public relations campaigns, and corporate bottom-lines. Due to the public nature of the disclosures, covered companies can count on NGOs poring over their disclosures.

Proposition 65 survival guide

Jeff Margulies (US)Will Troutman (US)Lauren Shoor (US)Andy Guo (US)Shirley Kim (US)By Jeff Margulies (US), Will Troutman (US), Lauren Shoor (US), Andy Guo (US) and Shirley Kim (US) on Posted in California Proposition 65

At long last, it’s here—OEHHA’s long-awaited amendments to the Proposition 65 “clear and reasonable warning” regulations become mandatory for products manufactured on and after August 30, 2018.

As we are sure you’ve probably heard ad nauseam by now, the revisions make two key changes to the Proposition 65 regulations: (1) for the first time, they allocate responsibility for warnings among suppliers and retailers; and (2) they make several substantive changes to the content and methods of transmission for “safe harbor” warnings.

While we have posted a detailed summary of the new amendments if you want to get into the weeds, here is a quick refresher. The amendments:

  • Place the primary responsibility for warnings on manufacturers, distributors, importers, and private label retailers, while providing an exception to liability for retailers functioning in a pure retail role;
  • Require the inclusion of a warning symbol, specific warning language, and identification of at least one chemical in the warning; and
  • Prescribe specific warning language and methods for certain product categories, including furniture, raw wood, food, and alcoholic beverages.

Proposition 65 Survival Guide

Based on the questions we’ve heard over the past year, the changes have created significant confusion and challenges for suppliers and retailers. In light of this, we thought it would be helpful to provide a “survival guide” of guidance and reference materials for businesses:

California Proposition 65 amended warning regulations

Jeff Margulies (US)Will Troutman (US)Lauren Shoor (US)Andy Guo (US)Shirley Kim (US)By Jeff Margulies (US), Will Troutman (US), Lauren Shoor (US), Andy Guo (US) and Shirley Kim (US) on Posted in California Proposition 65

On August 30, 2016, OEHHA’s long-awaited amendments to the Proposition 65 clear and reasonable warning regulations became final.  The amendments bring two major changes: (1) an allocation of responsibility for providing warnings between retailers and suppliers; and (2) revisions to the safe harbor warning requirements, including warning content and methods of transmission.

Allocation of Responsibility

Under the existing Proposition 65 regulations, any party in the supply chain could be held liable for failure to provide a warning.  The revised regulations allocate responsibility for warnings primarily to manufacturers, distributors, and importers (together, suppliers), with retailers responsible in specified circumstances.

Suppliers can meet their warning obligation “either by affixing a label to the product bearing a warning…, or by providing a written notice directly to the authorized agent for a retail seller.”  27 Cal. Code Regs. § 25600.2.

The only situations where a retailer is primarily responsible for providing a warning (i.e., may be liable in an enforcement action) are when:

  • The retailer sells the product under its private label, brand, or trademark.
  • The retailer has knowingly and intentionally introduced a listed chemical into the product, or caused a listed chemical to be created in the product.
  • The retailer has covered, obscured or altered a warning label.
  • The retailer has received warning information and materials from the supplier and does not post them—note that consent for the warnings from the retailer is not required; the supplier need only send the information to the retailer’s authorized agent.
  • The retailer has actual knowledge of the potential product exposure requiring the warning, and the suppliers are exempt

A retailer can modify this allocation by contract, requiring its suppliers and other vendors to provide a warning, as long as a required warning is ultimately provided.

If a warning is not provided and the retailer meets one of these conditions, it will find itself in the same situation as before the amendments: it can be sued by a private or public enforcer, and it will need to consider seeking defense and indemnity from its supplier.

The Five Business Day Exemption for Retailers

The good news for retailers is that they will not be liable for an enforcement action in which a product was supplied by a domestic, non-exempt entity that did not provide warning materials to the retailer, and none of the other four conditions apply, provided that they stop selling the product at issue or provide a warning for it within five business days of receipt of the 60-day Notice initiating the enforcement action.

Safe Harbor Warning Methods for Consumer Products

Labeling

The regulation requires that warnings be “prominently displayed” on a label, labeling or sign.  The warning must be displayed such that, when compared with other words, statements, or designs on the label, the warning is “likely to be read and understood by an ordinary individual under customary conditions of purchase or use.”

Environmental warnings must be displayed so that they should be seen and understood by an “ordinary individual in the course of normal daily activity.”

In-Store Signage and Catch-All Warning

To meet the safe harbor method for brick-and-mortar stores, warnings must be provided on product labels or at the point of display (product-specific posted or shelf signs). Point of sale signs (other than the BPA signs) are not approved safe harbor warning methods.

A retailer may also provide a warning by any electronic device or process that provides the warning prior to or during the purchaser without requiring the consumer to seek out the warning.  Examples include electronic shopping carts, QR Codes, smart phone applications, barcode scanners, and self-checkout registers.

Online and Catalog Warnings

For online transactions, retailers must include either the warning or a clearly-marked hyperlink using the word “WARNING” on the product display page, or by otherwise prominently displaying the warning to the purchaser prior to completing the purchase.  For catalogs, warnings must be clearly associated with corresponding products.

According to OEHHA guidance, online and catalog warnings must be provided even if the product is already labeled with a warning.  Warnings contained within general website content will not meet the safe harbor method.

Safe Harbor Warning Messages for Consumer Products

To meet the safe harbor, the amendments require the inclusion of a warning symbol and specific identification of at least one chemical in the product that is associated with the warning’s toxicological endpoint (cancer or reproductive harm). Warnings must be provided in the same language or languages as any other label, labeling or sign accompanying a product.

Standard warning language

Carcinogen or Reproductive Toxicant Warning

 WARNING This product can expose you to [name of one or more chemicals], a chemical [or chemicals] known to the State of California to cause [cancer] [birth defects or other reproductive harm]. For more information go to www.P65Warnings.ca.gov/product.

Warnings for Both Cancer and Reproductive Toxicity

 WARNING This product can expose you to chemicals including [name of one or more chemicals], which is [are] known to the State of California to cause cancer, and [name of one or more chemicals], which is [are] known to the State of California to cause birth defects or other reproductive harm. For more information go to www.P65Warnings.ca.gov.

Short form warnings

The regulations permit the use of short form warnings on products that do not require chemical identification (OEHHA’s original purpose in permitting short form warnings was for products for which the standard warnings is not practical due to size or amount of packaging):

 WARNING–Cancer–P65Warnings.ca.gov/product.

 WARNING–Reproductive Harm–P65Warnings.ca.gov/product.

If a product is labeled with a short form warning, a retailer may provide the short form warning on the website for online transactions.

Warning language for specific products

The amendments contain several product-specific safe harbors that generally tweak the warning language or add additional requirements, including:

  • Food and dietary supplements
  • Alcoholic beverages
  • Food and non-alcoholic beverages in restaurants
  • Raw wood
  • Furniture
  • Prescription drugs and emergency medical or dental care
  • Diesel engine exhaust
  • Vehicle and RV exhaust
  • Parking garages
  • Amusement parks
  • Petroleum products in industrial settings
  • Service stations and automotive repair
  • Smoking areas.

Timing

The amendments are not mandatory until August 30, 2018.  Products manufactured prior to August 30, 2018 may either comply with the regulations as previously written or the new regulations.  Warnings imposed by court-ordered settlements or final judgments are grandfathered in and will still be deemed compliant with Proposition 65.

California adopts GDPR-like data privacy law

Will Troutman (US)Spencer Persson (US)By Will Troutman (US) and Spencer Persson (US) on Posted in General, Recent legislation and regulations

On June 28, 2018, the California legislature enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law that is likely to apply to most retailers that operate in California. It includes disclosure requirements, consumer access rights, opt-out rights, and deletion rights. The new law is set to take effect on January 1, 2020.  Check out this summary and analysis of the law from our cybersecurity and date privacy colleagues.

Retailers must upgrade online credit card processing security by June 30

Susan Ross (US)By Susan Ross (US) on Posted in General

By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Note also that Nevada law requires compliance with the Payment Card Industry Data Security Standards (PCI DSS) with respect to Nevada cardholders.

The reason for the change is the PCI DSS, when version 3.1 was issued in April of 2015. Encryption protocol TLS 1.0 dates back to 1999, and was vulnerable to a variety of cyberattacks, including POODLE in 2014. TLS 1.1 was issued in 2006, and TLS 1.2 was issued in 2008. Any server using any Windows Server version older than 2008 will not support either TLS 1.1 or 1.2, so upgrading encryption may involve more than a quick protocol fix. The PCI Security Standard Council has offered guidance on moving to higher encryption protocols, including an infographic.

Retailers who had previously upgraded their on-premises equipment with credit card chip readers have probably already seen fraudulent credit card charges decrease. As of February 2018, VISA reported that this type of fraud had decreased 70% in the U.S. as of September 2017, as compared to fraud reported in December 2015. Visa also reported that EMV (Europay, MasterCard, VISA) chip cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

Retailers who need to upgrade their encryption protocols have no time to waste. Retailers using third-party processors should check to make sure the processor will meet the deadline.

California proposes to exempt coffee from Prop 65 warning requirement

Jeff Margulies (US)By Jeff Margulies (US) on Posted in California Proposition 65, Recent legislation and regulations

On April 12, 2018, we wrote about the decision in Council for Research on Education in Toxics v. Starbucks, in which a California Superior Court judge rejected the evidence presented by coffee roasters and retailers to demonstrate that exposures to acrylamide in coffee were exempt from Proposition 65’s warning requirement. With a motion for permanent injunction to be heard on July 31, despite widespread criticism of the basis of the court’s ruling (see, e.g., articles from NPR, CBS News, Self Magazine, and WebMD), it appeared that Prop 65 warnings for coffee would soon proliferate in California.

On June 18, 2018, the California Environmental Protection Office of Health Hazard Assessment (OEHHA) responded to the court’s ruling by proposing a regulation that would state that exposures to Proposition 65 listed chemicals in coffee, such as acrylamide, that are produced as part of the processes of roasting and brewing coffee, pose no significant risk of cancer.

The Agency’s rationale for exempting chemicals in coffee from Prop 65

The Initial Statement of Reasons for the proposed regulation reviewed the findings of the International Agency for Research on Cancer’s (IARC) Monograph on Coffee, Mate, and Very Hot Beverages and American Cancer Society statistics for California, to conclude that coffee reduces cancer risk:

In total, there is moderate or strong evidence that coffee either reduces risk or does not affect risk of cancers that account for 43 percent of cancers diagnosed in women and 29 percent of cancers diagnosed in men in California. There was also moderate evidence that coffee drinking reduced the risk of colorectal adenoma, a precursor lesion for a cancer that accounts for 6 percent of cancer diagnoses. Consistent results are found when US National Cancer Institute statistics for cancer diagnoses are used. Coffee drinking was not found to increase or probably increase any types of cancer in men or women.

OEHHA contrasted the complex mixture of chemicals in coffee from other complex mixtures that have been found to be carcinogenic to humans, including tobacco smoke, diesel engine exhaust, and alcoholic beverages, and pointed to mechanisms by which various anticarcinogens in coffee may produce such distinctions. Notably, the proposed exemption applies to all chemicals in coffee that are created as a result of the roasting or brewing processes, not just acrylamide, which was the subject of the CERT litigation.

What’s Next?

OEHHA has set a public hearing for August 16, with the public comment period to close by August 30. There is no express timetable for consideration of the public comments and proposal of a final regulation at this point.

Implications for the Regulation

OEHHA clearly had the court’s ruling in mind as a basis for proposing this exemption. According to the agency:

The effect of [the court’s] ruling is that exposures to acrylamide in coffee may require Proposition 65 warnings. OEHHA understands that this proposed regulation, if adopted, may cause businesses to ask courts to modify consent judgments or to seek reconsideration of court rulings and may result in businesses that are voluntarily providing warnings to choose not to do so.

It is too early to determine how this regulation, if adopted, will affect the litigation. Because OEHHA intended for the regulation to serve as a basis for reconsideration, it would appear to be a sound legal basis for such an outcome, which we expect the defense to press vigorously. While the court will hear CERT’s request for a permanent injunction on July 31, it has not yet set a date for the resumption of the trial on CERT’s claim for civil penalties.

Interestingly, OEHHA’s approach of addressing cancer risk from coffee containing acrylamide and other carcinogens–as opposed to an abstract consideration of the amount acrylamide in coffee to which consumers are exposed–was deemed by the court to be insufficient under OEHHA’s “no significant risk” regulations, when presented by the defense in the first phase of the trial. The rationale for this regulatory action by OEHHA appears to cast serious doubt on that legal analysis.

Companies not involved in the litigation who sell coffee in California may breathe a bit easier, knowing that there is at least a very open question whether follow-on litigation may be brought by CERT or others over exposure to acrylamide in coffee. We would hope that the Attorney General’s office will closely scrutinize any certificate of merit offered by a private enforcer in connection with a 60-day notice alleging exposure to acrylamide or other listed chemicals in coffee (including furfuryl alcohol), in light of OEHHA’s findings on the subject. And, hopefully, consumers can relax with their morning cup of Joe without fear that they are increasing their cancer risk.

LA judge rules that coffee requires a Proposition 65 warning for acrylamide

Jeff Margulies (US)By Jeff Margulies (US) on Posted in California Proposition 65

On March 28, 2018, Superior Court Judge Elihu Berle issued a proposed statement of decision that would require coffee roasters and retailers to provide Proposition 65 cancer warnings for coffee sold in California.

What the case is about

Plaintiff Council for Research and Education on Toxics (CERT) asserts that approximately 70 coffee roasters and retailers are required to provide cancer warnings for exposure to acrylamide in coffee. Acrylamide is listed as a carcinogen based on laboratory animal studies, but has not been proven to cause cancer in humans. Acrylamide is not added to coffee, but is formed in a complex chemical reaction when coffee is roasted (as is the case with other foods such as French fries and potato chips, in which acrylamide is formed when they are baked or fried).

Prop 65 liability issues

Once a plaintiff demonstrates an exposure to a listed chemical, Prop 65 puts the burden on defendants to demonstrate that the amount of exposure to a carcinogen such as acrylamide falls below the level at which a warning is required. For carcinogens, that level is defined as the no significant risk level, which is a default level of one excess case of cancer in 100,000 persons exposed. A business may seek to apply an “alternative significant risk level” (ASRL), where justified by “sound considerations of public health.” One such consideration is the so-called “cooking exemption”: “Where chemicals in food are produced by cooking necessary to render the food palatable or to avoid microbiological contamination.”

Phased dispute

The decision followed an initial phase of trial, in which Judge Berle found that the roasters failed to prove that:

  • the level of acrylamide in coffee was below the NSRL;
  • requiring a Proposition 65 warning for exposure to acrylamide in coffee violated the First Amendment by imposing misleading speech because coffee use was not associated with an increased risk of cancer, and was actually associated with a decreased risk of certain cancers; and
  • the Proposition 65 warning requirement was preempted by federal law.

Before the second phase of trial, the court granted summary adjudication to the plaintiff, finding that virtually all of the defendants knowingly and intentionally exposed individuals to acrylamide in coffee without providing a warning, on at least one occasion.

The second phase

The issues remaining to be tried were the ASRL defense, and the issues of civil penalties and injunctive relief, if the defendants did not prevail. In the first part of this phase, the parties submitted expert testimony on the ASRL defense.

The defense argued that the “cooking exception”—where chemicals in food are produced by cooking necessary to render the food palatable or to avoid microbiological contamination—supported a de facto defense, since acrylamide was formed during the roasting process. Roasting is both necessary to render coffee palatable and to destroy microbiological contamination. The defense argued alternatively that substantial epidemiological literature supported the concept that coffee had significant health benefits, justifying a lower risk level, and relied in part on the testimony of former FDA Commissioner David Kessler to support this argument. The defense also introduced testimony about the amount of the exposure based on testing of over 500 samples of coffee performed at Covance Laboratories and analyzed by an expert in exposure assessment. Plaintiff presented no evidence to counter this evidence.

Judge Berle rejected the defense’s assertion that the cooking exception was sufficient to avoid liability without quantifying the amount of the exposure. He also rejected Commissioner Kessler’s testimony about alternative risk levels, and the defense’s exposure assessment evidence, finding that the Covance data was not shown to be reliable because it was a novel technique that the scientific community has not yet generally accepted. He alternatively found that the Covance lab director and the expert were not credible, although he did not explain his reasoning on these findings.

Going forward

The defense will file objections to the proposed statement of decision shortly, although there is no reason to believe that Judge Berle will change his decision. The final phase of the dispute is not yet completed, as there will be a trial for the court to take evidence on the issues of civil penalties and injunctive relief. The potential exposure in this case is astronomical, with millions of units of coffee sold each year, and a maximum penalty of up to $2,500 per violation per day. It is anticipated that plaintiff will move for an injunction requiring the defendants to provide Proposition 65 warnings pending the conclusion of the case and appeal. There is no date yet set for this remedies phase, which could take upwards of two months to complete, based on the number of companies involved in the litigation.

The year in review: cosmetics remain target of California VOC enforcement

Will Troutman (US)Shirley Kim (US)By Will Troutman (US) and Shirley Kim (US) on Posted in Recent legislation and regulations

A year-end review of the California Air Resource Board’s published enforcement settlements highlights that cosmetics remain a priority for ARB under the General Consumer Products Regulation, which limits the amount of volatile organic compounds (VOC) in consumer products.

The General Consumer Products Regulation

The ARB General Consumer Products Regulation sets VOC limits (percent by weight) for a variety of consumer products, including hair styling products, personal fragrance products, and nail care products. Covered consumer products may not be sold, supplied, offered for sale, or manufactured for sale in California unless they meet the applicable limit.

For strict liability offenses, penalties can be assessed at up to $5,000 per day, or up to $10,000 per day, but at this higher maximum, the alleged violator may assert an affirmative defense that the violation was not the result of intentional or negligent conduct. Generally, ARB seems to pursue the $5,000 threshold for strict liability violations. Negligent violations are subject to $25,000 per day per violation.

(As a quick aside, the Legislature recently amended the Health and Safety Code to increase the maximum for strict liability violations from $1,000 to 5,000 per day, effective January 1, 2018).

ARB enforcement

ARB’s process for enforcement starts with market surveillance, in which it purchases products, tests them for VOC content, and upon finding a violation, initiates an informal investigation. This includes requesting sales data from the domestic manufacturer, importer, or private labeler, as well as any mitigating information. ARB will then propose a penalty settlement amount based on the following formula, and this proposal serves as the starting point for negotiations.

For first time violations, ARB has developed an administrative penalty formula based on excess tons of VOC emitted from the offending product. Under this approach, ARB seeks a penalty of $22,000 per excess ton of VOC.  The floor for de minimis violations tends to be $3,000. For repeat violations or first time violations with aggravating circumstances, ARB will use the “per day” penalty scheme set forth above, seeking penalties for each day the product was available for sale in California. ARB will base the per day penalty amount on a sliding scale, taking into account various penalty factors, including past violations, remedial measures, and economic hardship. ARB has published an enforcement policy document outlining its approach to enforcement.

Cosmetics settlements

Since 2016 (we are fudging the “year in review” concept a little bit to provide more meaningful data), ARB has settled 23 cases involving cosmetic products, primarily for hair styling products and nail polish removers. The alleged violations ranged from 0.078 to 9.81 tons in excess VOC emissions (there was one de minimis violation, which we assigned a tonnage of 0.001), and the penalties ranged from $3,000 to $199,500:

In 17 out of the 23 settlements, ARB reduced the penalties for first time violators who cooperated in ARB’s investigation. ARB also factored in economic or financial hardship to reduce penalties in three settlements.

All told, ARB collected nearly $650,000 from cosmetics manufacturers and private labelers during that span (for reference, ARB collected a total of $1.3 million in 2016 from all Consumer Product regulation settlements combined).

E-A-G-L-E-S EAGLES!!!!

New security requirements issued for credit card payments on mobile devices

Will Troutman (US)By Will Troutman (US) on Posted in General

Check out this new post from my colleague, Sue Ross, covering new standards for mobile device credit card payments, including at retail stores. The Payment Card Industry (PCI) Security Standards Council recently announced the new standards, which apply to PIN entry transactions on smartphones and tablets used at point-of-sale. The post is published in Norton Rose Fulbright’s Data Protection Report.

LexBlog