Each week, Crowell & Moring’s State Attorneys General team highlights significant actions that State AG’s have taken. Here are this week’s updates.

  • On October 22, New Jersey Attorney General Grewal sued Navient Corp. and Navient Solutions LLC, a student loan servicer, alleging that the company engaged in deceptive conduct and unconscionable commercial practices as well as made misrepresentations when it was servicing New Jersey consumers’ student loans.  The company allegedly steered borrowers into forbearance instead of income-driven repayment plans that would have been better suited to their financial situation, failed to tell borrowers about recertification eligibility deadlines for income-driven repayment plans, convinced borrowers to take out private student loans with a cosigner then made it very hard to obtain a cosigner release, and misled borrowers about the extent of their delinquency.
  • On October 22, Michigan Attorney General Nessel signed an Assurance of Voluntary Compliance with Inspiring Clothing, which allegedly violated the Michigan Consumer Protection Act by failing to fulfill online orders for screen-printed t-shirts, which totaled about $38,000 in purchases, and allegedly advertised that sales would be donated to charitable causes but did not actually donate to these causes. Under the AVC, Inspiring Clothing must pay $1,000 to the Attorney General’s Office, stop operating for a year, and make a $100 payment to each additional customer who comes forward with proof that their order was not fulfilled or refunded, as well as a $100 payment to the Attorney General’s Office.
  • On October 22, New York Attorney General James announced an agreement with Bell Mechanical Contractor which requires the company to pay $200,000 in restitution for falsely claiming to meet state diversity requirements in order to obtain a $1.2 billion Rochester Schools Modernization Program contract. The company has also committed to extensive long-term compliance, remediation, and training requirements.

On August 14, 2020, California Attorney General Becerra announced that the Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The approved regulations, which became effective immediately, guide businesses and consumers on the CCPA.  The final regulations can be found here.

Even before final approval of the regulations, the California Attorney General’s Office announced that it had already begun enforcing the CCPA in California. By July 10, 2020, the Office had issued warning notices to online businesses for failure to comply with the CCPA. The businesses receiving these notices will have 30 days to comply with the CCPA, or they risk a lawsuit being filed against them by the Attorney General’s Office. It is expected that in the future the AG will no longer issue warning letters and proceed with enforcement.

The CCPA allows California residents to learn what information companies have collected about them, seek the deletion of any collected information, and prevent companies from selling their personal information to third parties. The law also requires any covered business to place a link on its homepage, labeled “Do Not Sell My Personal Information,” that consumers can click to ensure the company does not sell their data. Additionally, the CCPA prohibits businesses from selling minors’ personal information without parental consent for those under the age of 13 or consent of those 13-16 years old.

The CCPA applies to companies that: (1) have more than $25 million in gross annual revenue; (2) buy, sell, or receive the personal information of at least 50,000 consumers, devices, or households; or (3) gain 50% or more of their annual revenue from selling consumers’ personal information.

When determining the recipients of the warning letters, the Attorney General’s Office reviewed consumer complaints, including some that were made on the Twitter platform. The Office has also advised businesses that sell consumers’ information to quickly confirm that they have a “do not sell” button on their website.

California businesses that are under the CCPA should carefully ensure they comply with all of the CCPA’s requirements, including the presence of the “do not sell” link, in order to avoid potential liability.

Although COVID-19 is occupying a lot of regulatory resources, Attorneys General are continuing their consumer protection mission, including watching out for deceptive claims related to stem cell therapy and other medical treatments. Attorneys General are particularly concerned about businesses making unsupported claims suggesting their services or procedures can treat or cure disease.

On July 15, 2020, Iowa Attorney General Tom Miller sued stem cell therapy entities Regenerative Medicine and Anti-Aging Institutes of Omaha, Omaha Stem Cells LLC, and Stem Cell Centers of Anchorage, Alaska, as well as their owners in their individual capacities, for allegedly making unfounded claims that their treatments could reverse aging and cure, prevent, or treat medical conditions. The defendants allegedly claimed their services could cure, treat, or prevent conditions such as neuropathy, Alzheimer’s disease, and chronic obstructive pulmonary disease. They allegedly targeted older Iowans through advertisements and live events, persuading them to purchase treatments that ranged in cost from $1,400 to over $27,000 and that were not covered by health insurance. The lawsuit seeks injunctive relief, restitution, and civil penalties of up to $40,000 per violation of the Consumer Fraud Act. It also seeks $5,000 for every violation of the Older Iowans Law.

Nebraska Attorney General Doug Peterson also filed a lawsuit against the same defendants based on their actions against consumers in Nebraska. In regard to the lawsuit, Attorney General Peterson stated, “Consumers are entitled to accurate and truthful information about any product or service, but especially those products that affect their health and wellbeing. With today’s filing, we remind all healthcare providers and other businesses that they will be held accountable for the representations they make to consumers.”

The U.S. Food and Drug Administration (FDA) has approved stem cell therapy for the limited purpose of treating those with hematopoietic system disorders. However, this method of treatment is still in its early stages for other medical issues, and though it has potential, it has not yet been proven safe and effective.

The Iowa and Nebraska lawsuits come only a few months after the FDA issued a public safety notification in December 2019 warning against products advertised as containing exosomes, after several patients in Nebraska experienced “serious adverse events.” The FDA notification explains that, as of the time of its issuance, there are “no FDA-approved exosome products,” though some clinics, including a number that also market “stem cell” products, offer them to patients. The Iowa and Nebraska lawsuits are also occurring in the context of Attorneys General initiating enforcement actions against companies alleging that they can cure or treat COVID-19.

Any business offering a product or service that claims to possess the ability to cure or prevent a disease should carefully ensure that these representations are supported by scientific evidence and approved by the FDA in order to avoid liability. By their nature, health claims require heightened substantiation and business cannot rely on “after the fact” testing to support prior claims. Businesses making general health and safety claims should also confirm they have sufficient scientific support backing their advertisements, given that Attorneys General are focusing their attention on this space.

On July 7, 2020, the Maine Attorney General’s Office obtained a victory for consumers in the United States District Court for the District of Maine in the area of broadband privacy law. This ruling, which among other findings held that a Maine statute guarding consumers’ private data from internet service providers is not preempted by federal law, lays the groundwork for other states to potentially enact similar laws in an effort to protect consumers from service providers selling their personal data. Maine Attorney General Aaron Frey applauded the ruling by issuing a statement emphasizing that Maine “has a significant interest in protecting Mainers from practices which may place their personal data at risk.” Attorney General Frey further states that this ruling “is a huge victory for Maine consumers.”

The Maine statute, L.D. 946, “An Act to Protect the Privacy of Online Customer Information” prohibits broadband internet service providers in Maine from sharing a customer’s personal information without that customer’s permission. The law forbids service providers from disclosing, selling, or permitting access to personally identifying information about a customer, such as name, billing information, demographic data, or social security number. It also prevents disclosing a customer’s web browsing history, application usage history, specific geolocation information, financial information, and health information, among other things.

The major telecommunications trade associations challenged the statute based on preemption, First Amendment, and vagueness grounds.

The associations argued that the Maine statute impliedly conflicts with two areas of federal law dealing with internet privacy, thus making it “an unconstitutional exercise of the state’s power.” However, the Maine Attorney General’s Office prevailed on its arguments that Congress has explicitly left this area open to state regulation. Federal District Judge Lance Walker held that one of the areas the plaintiffs argued constituted a federal preemption, a 2017 Joint Resolution vacating the Federal Communications Commission’s (“FCC”) 2016 Internet Service Provider Privacy Order, merely disapproved of and nullified the Privacy Order, allowing the states to regulate in this space. The court declined to “read Congressional tea leaves when deciding whether federal action preempts state law.” Significantly, as privacy law is a traditionally state-regulated area, there is a particularly “strong presumption against implied federal preemption of state law.” Judge Walker also found that the Maine privacy law is not preempted by the FCC’s Restoring Internet Freedom Order, in which the FCC deferred to the Federal Trade Commission to regulate privacy disclosures. Judge Walker explained that the plaintiffs did not demonstrate that the FCC’s “abdication of authority” created any preemptive conflict.

The trade associations also argued that the privacy law violates the First Amendment because Maine does not have an adequate interest in regulating this area and because the law is not designed narrowly enough to allow speech. Judge Walker found that the privacy law regulates commercial speech, but the record was insufficient to decide in the associations’ favor. Finally, the trade associations argued that the privacy law is unconstitutionally vague, but Judge Walker found that they did not adequately demonstrate a danger of chilled speech.

We will monitor whether the telecommunications trade associations appeal this decision, of which they must provide notice within 30 days from the ruling.

Now that some businesses are attempting to re-open and must sanitize their locations for employees and the public, Attorneys General will vigilantly monitor for unsupported claims that products can cure or prevent the transmission of COVID-19. They will also watch for claims that a location using these products will be safe for the public. Several Attorneys General have already initiated enforcement actions and issued cease and desist letters admonishing companies who made such representations, and more are sure to follow.

On June 27, Arizona Attorney General Mark Brnovich sent a cease-and-desist letter to Clean Air EXP imploring that the company stop claiming their air purification systems neutralize “99.9% of viruses that are ‘COVID-19 surrogates.’” The letter explains that such representations imply that products can prevent the transmission of COVID-19, while there is currently no scientific support demonstrating that any air treatment product is able to avert transmission of the virus. Attorney General Brnovich’s Office also sent a similar letter to Dream City Church regarding statements it made about an air filtration system it bought from Clean Air EXP, such as that 99% of the virus would be gone when visitors came into the church auditorium and that churchgoers would be “safe and protected.” The church was warned that because it rents its facility for other reasons besides church functions, misrepresentations about the safety of the church could violate the Arizona Consumer Fraud Act.

On June 26, Oregon Attorney General Ellen Rosenblum announced settlements with six clinics and companies who sold and advertised products they claimed could cure the virus or possessed immunity boosting properties, though the products were not approved by the FDA or recommended by the CDC. Under the settlement agreements, the companies may no longer make such claims unless they are first approved by the FDA and supported by “competent and reliable scientific evidence.” On June 16, Arkansas Attorney General Leslie Rutledge announced a lawsuit against The Jim Bakker Show for telling consumers in Arkansas that colloidal silver products could eliminate the virus, resulting in the sale of over $60,000 worth of products. The FDA has previously advised that such products “are not scientifically recognized to be safe and effective.”

Companies should be aware that Attorneys General are watching for unsupported claims that products can cure or rid the air of COVID-19 or that a business location is free of the virus, as well as other similar scams. To avoid liability, they should carefully ensure that any claims they make about air purification, curing or preventing transmission of the virus, or the safety and cleanliness of business locations are backed by scientific support.