Retail and Consumer Products Law Roundup

The Battle Over CFPB Leadership Continues

By Richard E. Gottlieb, Partner, Financial Services Group | Charles E. Washburn, Jr., Partner, Financial Services Group

Although the first round in the battle over leadership of the Consumer Financial Protection Bureau went to President Donald Trump’s pick for the position, the fight continues, leaving the CFPB’s ongoing work very unsettled.

What happened

Just before outgoing Director Richard Cordray stepped down from his role at the CFPB, he appointed Chief of Staff Leandra English as deputy director in an apparent effort to circumvent any selection of an acting director by President Trump from taking over the leadership position. Ignoring Cordray’s maneuver, President Trump tapped Mick Mulvaney, already the director of the Office of Management and Budget (OMB), to take over as acting director at the CFPB.

English filed suit, but U.S. District Judge Timothy J. Kelly (a Trump nominee) sided with the president. Denying English’s request for a temporary restraining order, the court said the language of the Consumer Financial Protection Act, under which the deputy director serves as director in the event of the director’s “absence or unavailability,” did not apply to vacancy as a result of resignation.

Therefore, the Federal Vacancies Reform Act applied, putting the power to appoint a new director in the hands of the president, the court held. “On its face, the Vacancies Act does appear to apply to this situation,” Judge Kelly said. On Dec. 6, Ms. English filed an amended complaint and a motion for a preliminary injunction. Judge Kelly has issued an aggressive scheduling order through the rest of December, with a hearing on Ms. English’s motion currently scheduled for Dec. 22. Any decision by Judge Kelly would be appealable to the U.S. Court of Appeals, D.C. Circuit.

In the meantime, Mulvaney has moved aggressively in managing the CFPB, in part apparently to demonstrate what he perceives as a flaw in the CFPB’s structure, in that it places an inordinate amount of unchecked power in the hands of just one individual, saying in an interview that the authority wielded by the director of the CFPB “should frighten people.”

Why it matters

The battle at the CFPB continues to rage on, with a new complaint filed this month by a credit union alleging that the president’s appointment of Mulvaney was unconstitutional and amounts to “an illegal hostile takeover of the CFPB.” The Lower East Side People’s Federal Credit Union argues that with Mulvaney at the helm of the CFPB, its members are at risk. Until the litigation is finally resolved, the situation at the CFPB will continue to be unstable.

back to top

Cybersecurity Guidance on SEC Horizon

By Craig D. Miller, Partner, Financial Services Transactions

In a push for increased cybersecurity vigilance, the Securities and Exchange Commission indicated its plans to amend existing data security guidance, including the reporting of data breaches.

What happened

Speaking at a Practising Law Institute event in New York City, SEC Director of Corporation Finance William Hinman urged publicly traded companies to review their practices with regard to cybersecurity. More specifically, he suggested consideration of how a company internally disseminates information about potential breaches, the point at which senior managers get informed about suspected intrusions, and how companies report data breaches to their investors.

These issues are top of mind for the agency, Hinman said, and will likely be the subject of tweaks to the SEC’s data security guidance. “Current guidance is in pretty good shape,” he told attendees. But the agency will “touch [on] a couple of things that will be new” to the six-year-old guidance, such as how breach information gets disclosed internally and escalated to senior management. “I think this issue is important enough, wide-ranging enough that we should tackle it at the Commission level,” he added.

Also on the radar: ensuring that appropriate controls and practices are in place for preventing insider trading. “It would be wise for folks to re-examine their insider trading policies,” Hinman noted. Although he didn’t explicitly reference the incident, the topic was likely spurred by the recent Equifax data breach, where reports have claimed that three company executives sold nearly $2 million worth of shares in Equifax after they learned about the breach but before it was announced to the public.

While Hinman did not discuss a time frame for when the SEC might make the changes, his remarks echoed a similar sentiment shared by SEC Chair Jay Clayton when testifying before the Senate Banking Committee earlier this year. Clayton told legislators that companies need to disclose more cybersecurity information to their investors, and in the event of a breach, do it more quickly.

The SEC has increasingly focused on cybersecurity issues, including the creation in September of a new Cyber Unit to focus on misconduct involving hacking and threats to trading platforms, the spread of false information through electronic and social media, and misconduct involving distributed ledger technology.

Why it matters

The SEC’s current cybersecurity guidance was released in October 2011, a lifetime in the digital world and before the recent record-setting breaches such as that at Equifax. At the time, the agency did not mandate that public companies report every data breach to investors but instead discussed how a major attack could impact a company’s business, which would in turn necessitate the need for disclosure to investors. Based on the comments from current SEC leadership, it appears the agency could take a stronger line on disclosures as well as on enforcing insider trading restrictions in the context of an undisclosed data breach. Public companies should also closely evaluate any data breaches (or threats of data breaches) when drafting their periodic reports for the SEC.

back to top

Pharmacies and Healthcare Facilities Await EPA’s Final Pharmaceuticals Rule

By Ted Wolff, Partner, EnvironmentMatthew D. Williamson, Partner, Environmental Litigation

As of the time of publication, the Environmental Protection Agency (EPA) has just published its Fall Regulatory Agenda (December 14, 2017). The Regulatory Agenda establishes the agency’s rulemaking priority. In addition to foreshadowing President Trump and EPA Director Scott Pruitt’s scaling back of environmental regulations, notable here is that the agency proposes a July 2018 final rulemaking for the proposed regulation governing the management of hazardous waste pharmaceuticals. The comment period on the original proposed rule closed in late 2015. Over the course of the next several months, we will work with Agency contacts, state environmental regulators and stakeholders to track and assist in understanding EPA’s final rule incorporating responses to comments.

Stay tuned for Manatt’s updates and further analysis regarding the rule’s impact on retail pharmacies and other healthcare facilities. For more information, please contact Manatt partners Ted Wolff or Matt Williamson.

back to top

Lawmakers Seek to Keep Things Private

By Jeffrey S. Edelstein, Partner, Advertising, Marketing and Media

Federal lawmakers are considering the Consumer Privacy Protection Act of 2017, a new bill that would regulate the storage online of certain types of personal consumer information.

Introduced by Sen. Patrick Leahy (D-Vt.) and cosponsored by Sens. Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), Ron Wyden (D-Ore.), Al Franken (D-Minn.), Kamala Harris (D-Calif.) and Tammy Baldwin (D-Wisc.), the proposal would require companies that collect and hold data on at least 10,000 U.S. individuals to meet certain baseline privacy and data security standards to safely keep information obtained from consumers.

More specifically, the legislation mandates that companies encrypt information (or use similar protective technologies), conduct vulnerability testing and employee training, conduct due diligence before allowing third parties to acquire data, and destroy sensitive information that is no longer needed.

The measure protects categories of data, including Social Security numbers; financial account information (including credit card numbers and bank accounts); online usernames and passwords, such as email names and passwords; unique biometric data (fingerprints and “faceprints,” for example); information about a person’s physical and mental health; geolocation data; and private digital photographs and videos.

Data breach notification requirements are also included in the bill. Consumers must be notified of a breach “as expediently as possible and without unreasonable delay,” not to exceed seven days following the discovery of a security breach. An exception covers delays authorized for law enforcement or national security purposes.

In addition, companies must provide five years of appropriate identity theft prevention and mitigation services to consumers whose sensitive personally identifiable information has been—or is reasonably believed to have been—accessed or acquired.

Enforcement would be provided by state attorneys general, who would have the power to enjoin a practice that allegedly violates the Act, and to enforce compliance or impose a civil penalty “in an amount not greater than the product of the number of violations … and $16,500.”

Data breach notification violations are subject to a different scheme under the statute. Determinations of a violation and the amount of the penalty will be made “by the court sitting as the finder of fact.” If the court also finds that the violation was willful or intentional, the Act provides discretion to impose an additional penalty as long as it doesn’t exceed $10 million.

No private right of action was created by the bill, which would preempt state data security and breach notification laws weaker than those found in the bill.

To read the Consumer Privacy Protection Act of 2017, click here.

Why it matters: Spurred in part by the rash of massive data breaches in recent months (including Equifax’s disclosure that hackers obtained information on more than 140 million consumers in the United States), the proposed legislation already has the support of consumer groups such as Public Knowledge, the Consumer Federation of America, and the Center for Democracy and Technology. Given the current political impasse, passage of the bill appears to be an uphill battle.

back to top

NLRB’s Noteworthy Developments

Recent decisions from the National Labor Relations Board (NLRB) find the board overturning two of its previously-established standards. All of this happened last week, signaling a significant shift in the position of the NLRB. Among them, the NLRB overturned its standard for assessing the legality of employee handbooks, as established in the 2004 Lutheran Heritage Village-Livonia decision, with a 3-2 majority. The Lutheran Heritage standard held that an employee handbook policy is illegal if employees can “reasonably construe” that the policy prohibits them from exercising their rights under the National Labor Relations Act. In overturning the Lutheran Heritage decision, the board lays out three categories into which they will classify challenged rules: rules that are legal in all cases because they cannot be reasonably interpreted to interfere with workers’ rights or because any interference is outweighed by business interests, rules that are legal in some cases depending on their application, and rules that are always illegal because they interfere with workers’ rights in a way not outweighed by business interests.

The NLRB also reversed the decision it reached in the 2015 Browning-Ferris Industries (BFI) case, in which it had expanded the test for determining joint employment. The board voted 3-2 to overturn the standard set in BFI, which established that a company can be classed as a joint employer even if the employer exerts “indirect control” over employees. During the vote, the board reverted to its pre-BFI standard of “direct and immediate control,” stating that the BFI test jeopardized the stability of relationships between employers and employees. The board’s dissenters countered that the board majority failed to solicit the public’s perspective, and challenged the majority’s policy basis for reversing the BFI standard as “entirely speculative.”

Please stay tuned for more detailed analysis and further coverage in our upcoming newsletters.

back to top

California Employers Face Multiple New Laws

Why it matters

With several new employment-related measures recently signed into law, California employers should start preparing themselves now. Beginning on Jan. 1, 2018, employers with five or more employees in the state are prohibited from inquiring into applicants’ conviction histories prior to making an offer of employment. A.B. 1008 also sets forth a number of requirements about how employers may use conviction history to deny employment. Another law, the New Parent Leave Act, extends unpaid leave to bond with a new child within one year of the child’s birth, adoption or foster care placement to employers with at least 20 workers. Prior to S.B. 63, the leave was triggered only when employers had 50 or more employees. California also joined Oregon, Massachusetts, New York and a number of cities that ban employers from asking applicants for “salary history information,” a term that includes both compensation and benefits. Finally, S.B. 396 expanded the scope of the sexual harassment training that employers with at least 50 employees must provide to supervisors, with an additional mandate that as of Jan. 1, 2018, the training must cover harassment based on gender identity, gender expression and sexual orientation. Employers should take the time to familiarize themselves with all the new laws and coming changes.

Detailed discussion

Employers in California are facing a busy future with several new employment laws set to take effect in the coming months. The following provides an overview of some of the biggest changes.

  • After limiting employers’ ability to ask job applicants about any juvenile court matters last year, the California legislature enacted a broader “Ban the Box” law in 2017 that will take effect on Jan. 1, 2018. A.B. 1008 amended the Fair Employment Housing Act with a new provision that restricts an employer’s ability to make hiring decisions based on an applicant’s conviction records, forbidding consideration of conviction history until a conditional offer of employment has been extended. Applicable to employers with five or more workers, the law contains minimal exemptions (such as positions with criminal justice agencies) and prohibits inquiring about, considering or including on an application questions about conviction history. If an employer decides not to hire an applicant because of a prior conviction, the employer is required to conduct an individualized assessment to determine whether the history has a “direct and adverse relationship with the specific duties of the job that justif[ies] denying the applicant the position,” taking into account the nature and gravity of the criminal offense, the time that has passed, and the nature of the job. Once a preliminary determination has been made that the conviction history disqualifies the applicant from employment, written notice must be provided, giving the applicant five business days to respond and dispute the decision. A second notice must be provided with the final decision not to hire. Applicants can sue for alleged violations of the provision, requesting compensatory damages, attorneys’ fees and costs.
  • The California Family Rights Act required employers with 50 or more workers to provide unpaid leave of up to 12 weeks to bond with a new child within one year of the child’s birth, adoption or foster care placement. Now the New Parent Leave Act has broadened this requirement to employers with 20–49 employees in a 75-mile radius. Pursuant to S.B. 63, workers will be eligible to take leave once they have worked for the employer for at least 12 months and at least 1,250 hours. While an employee is on leave, the employer must continue to pay its share of the employee’s healthcare premiums, although it may recover this money under certain circumstances (if the employee fails to return to work after his or her leave expires, for example). If both parents work for the same company, leave can be limited to a combined total of 12 weeks and the employer can require the leave be taken concurrently. The new law takes effect in January 2018.
  • Joining a growing number of jurisdictions—including Delaware, Massachusetts, New York, Oregon and several cities—California employers are now prohibited from asking job applicants for “salary history information,” defined to include both compensation and benefits. A.B. 168 does permit employers to rely upon information that is shared by the applicant “voluntarily and without prompting,” although the state’s Fair Pay Act bans employers from relying solely on prior salary to justify any disparity in compensation. The new law, which takes effect on Jan. 1, 2018, applies to both public and private employers and also requires employers to provide applicants with the pay scale for a position upon “reasonable request.”
  • Mandatory sexual harassment training for supervisors got a tweak pursuant to S.B. 396. Beginning on Jan. 1, 2018, employers with 50 or more employees must now address harassment based on gender identity, gender expression and sexual orientation as part of the already required two hours of supervisory training that must be conducted every two years or within six months of an individual’s assumption of supervisory duties. The measure also contains an updated poster requirement.

To read A.B. 1008, click here.

To read S.B. 63, click here.

To read A.B. 168, click here.

To read S.B. 396, click here.

back to top

Converse Runs Away With Dismissal Over De Minimis Bag Checks

As the plaintiffs failed to establish that the employer’s bag checks took long enough to merit compensation, a California federal court dismissed the action. Eric Chavez alleged that he and other workers at Converse retail stores in the state were due wages for the unpaid time they spent waiting for and undergoing bag inspections when they exited the store premises. Converse countered with a study showing that the average combined time per employee was less than two minutes. Although the plaintiffs presented testimony from workers that some bag checks took more than one minute, the court ruled the unpaid time was de minimis. Chavez has already filed notice of appeal, arguing that the court should have waited to decide the case given that the California Supreme Court is currently considering whether de minimis time is compensable, answering a certified question from the U.S. Court of Appeals, Ninth Circuit in a case involving Starbucks.

Detailed discussion

A nonexempt hourly employee at a Converse retail store in Gilroy, CA, Eric Chavez was required to undergo an exit inspection each time he left the store during or after a shift. Each departure during his employment from September 2010 to October 2015 consisted of a visual inspection as well as a bag check, if he was carrying a bag. Converse did not pay Chavez for the time these exit inspections took or for the occasions when he had to wait for a manager to come to conduct the inspection.

Alleging violations of California’s Labor Code, Chavez filed a putative class action in 2015. The court certified a class of employees dating back to 2011, and Converse then filed a motion for summary judgment.

The employer offered a time and motion study that considered 436 exit inspections, breaking down each part of the process into waiting time, bag checks and visual inspections. The study found that 290 of the exits (66.5 percent) observed no wait time, while 120 out of 146 inspections (82.2 percent) had a wait time of 30 seconds or less.

As for the inspections themselves, the majority—67.7 percent—did not include a bag check. Where only a visual inspection occurred, the average duration was 2.3 seconds, with bag checks lasting less than 3 seconds and 100 percent of the bag checks observed taking less than 30 seconds.

Combining wait time, visual inspections and bag checks, the study found that 99.5 percent of the employees spent less than two minutes before exiting the premises. Relying on these findings, the employer argued that the unpaid time was de minimis and the suit should be dismissed.

Chavez challenged the study, providing an expert to critique it, although he did not offer his own study in response. He also proffered the deposition testimony of several coworkers, which he said demonstrated that employees spent a longer period of time for the inspections than shown by the study.

Considering the employer’s motion for summary judgment, U.S. District Judge Nathanael M. Cousins first acknowledged that whether the de minimis doctrine—which originated in the context of the federal Fair Labor Standards Act—applies to state law remains an unsettled question of law currently being decided by the California Supreme Court.

However, while the issue remains pending, the court said it remained bound by existing precedent applying the doctrine to claims under the Labor Code and moved forward with its analysis.

After a detailed review of the employer’s study, the critique offered by Chavez’s expert and the deposition testimony of 23 class members, the court concluded the time spent on exit inspections was de minimis and therefore not compensable.

Although Chavez argued the depositions refuted the employer’s study, the greatest time any deponent testified that an individual bag check took was 60 seconds, and several class members never underwent bag checks because they never brought a bag onto the premises, the court said. The study’s findings “strongly suggest the exit inspections took barely a few seconds and are thus not compensable.”

Further, “[o]nly Eric Chavez testified to always having to wait more than one minute for exit inspections,” the court wrote, Chavez having testified that he “always” had to wait at least four minutes. “The rest of the class members testified to either never waiting for an exit inspection, or waiting for an inspection less than 50 percent of the time.”

Converse’s timekeeping system records time in one-minute intervals. The study found that 95.9 percent of exit inspections took one minute or less and 99.5 percent of exit inspections had a wait time of two minutes or less. “These findings are significant because Converse’s timekeeping system cannot measure time in less than 1 minute increments … [and] the overwhelming majority—95.9 percent—of exit inspections would not have been measurable because they lasted less than one minute,” the court wrote.

Even taking into account the testimony of Chavez that he once waited 18 minutes for an exit inspection as well as that of two other workers—one who testified to waiting one to two minutes and the other who testified to waiting two minutes or more—the court was not convinced the time was enough to warrant compensation.

“[Three] out of 24 class member[s] arguably testified that their exit inspection took greater than one minute with regularity,” Judge Cousins wrote. “This testimony is insufficient to rebut the [study’s] finding that the overwhelming majority of exit inspections took less than one minute, especially where 21 other class members did not experience compensable exit inspections with any regularity,” Judge Cousins said.

The court granted Converse’s motion for summary judgment.

To read the order in Chavez v. Converse, Inc., click here.

back to top

Eight-Figure Settlements Continue for TCPA Disputes

By Christine M. Reilly, Chair, TCPA Compliance and Class Action Defense | Diana L. Eisner, Associate, Litigation

Multimillion-dollar settlements continue to be a popular solution to Telephone Consumer Protection Act (TCPA) class actions, as demonstrated by a recent retailer agreement.

U.S. District Judge Valerie Caproni recently granted final approval to a $14.5 million deal involving American Eagle Outfitters to end multiple lawsuits accusing the national retailer of sending thousands of “spam texts” to more than 600,000 consumers.

After four putative class actions were consolidated in New York federal court, the parties engaged in more than two years of litigation, including discovery and motion practice, before reaching a settlement via mediation. American Eagle agreed to pay a total of $14.5 million into a nonreversionary settlement fund for class member claims, administration expenses, class representative awards, and attorneys’ fees and costs.

The court granted preliminary approval in January and signed off on final approval of the deal in September. Class members will receive approximately $232 each, administration expenses topped $665,580, class counsel will receive more than $104,785 in costs and $4.35 million in fees, and a total of $10,000 in incentive fees will be paid to the four representatives.

More than 38,000 valid claim forms were submitted, the court said, with just nine members requesting to be excluded and six objections to the deal. Third-party defendant Experian Marketing Services objected to the agreement on the basis that the plaintiffs—by simply alleging a violation of the TCPA and nothing more—failed to demonstrate they had Article III standing.

Applying Robins v. Spokeo, the court reached the opposite conclusion, finding that the statutory violation alone was sufficient to establish a concrete injury.

“Plaintiffs’ receipt of unwanted and unauthorized telephone contact by an automated system is precisely the harm that Congress was trying to avoid when it enacted the TCPA,” the court said. “As such, Plaintiffs’ concrete injury is the invasion of the right created by the statute; their receipt of the telephone contact ‘presents a material risk of harm to the underlying concrete interest Congress sought to protect in passing’ the TCPA.”

Reviewing the other objections (two of which were withdrawn and one of which was untimely), the court found them “meritless.” The class notice was reasonable and adequate, the court said, and concerns about the settlement amount ignore “the very real litigation risks that Plaintiff faced,” particularly as the deal provides nearly 50 percent of the available statutory damages for a nonwillful violation of the TCPA.

Finding that all of the requirements of Rules 23(a) and (b) of the Federal Rules of Civil Procedure had been met and that the settlement amount fell “well within the range of reasonableness,” Judge Caproni granted final approval of the agreement.

To read the opinion and order in Melito v. American Eagle Outfitters, Inc., click here.

Why it matters

The $14.5 million deal is only the most recent multimillion-dollar TCPA settlement, and as class actions continue to be filed under the statute, it likely won’t be the last.

back to top