Capitol Hill briefing alerts lawmakers to public health ramifications of CBD proliferation

/in , , , , , /by

Lawmakers need to be aware of the threats to public health posed by the proliferation of unregulated, untested CBD products currently widely available in the marketplace. There is a great deal of work to be done in Washington to better understand the healing potential of CBD, while also protecting consumers from the dangers of what is currently an anything-goes market environment.

That was the compelling message participants took from a congressional staff briefing last week on “The Future of Cannabis as a Drug.” Expert speakers, including National Consumers League Executive Director Sally Greenberg, issued a two-pronged call for action: to intensify clinical research into new medical treatments containing CBD, while encouraging the Food and Drug Administration (FDA) to proactively regulate non-medical, over-the-counter CBD products that are frequently mislabeled and contain potentially harmful ingredients.

The briefing featured opening remarks by U.S. Representatives Scott Peters (D-CA) and Cathy McMorris Rodgers (R-WA) and was moderated by Ron Manderscheid, Executive Director of the National Association of County Behavioral Health and Developmental Disability Directors and the National Association for Rural Mental Health. “We would like to have more understanding and more confidence in CBD products,” Rep. Peters explained. “You should know what you’re getting”.

Attendees received eye-opening data about the ways in which readily-available CBD products—sold in the form of oils, lotions, food additives, and more—have the potential to make consumers ill. Few realize, for example, that an independent study found 70 percent of the top-selling CBD products contain substances such as pesticides, arsenic, and toxic mold.

NCL’s Greenberg previewed upcoming academic research that will place a spotlight on the questionable science being utilized by CBD and cannabis companies, often in partnership with academia, to lend legitimacy to these products and short-cut the regulatory approval process. “Not only are these products untested, but they are inaccurately labeled,” said Greenberg. “We want FDA to do what it’s supposed to do, and what we as consumers expect it to do.”

NCL launched Consumers for Safe CBD to warn the public of the potential health and safety risks associated with unregulated and unlawfully marketed CBD products.

Susan Audino, a board member of the Center for Research on Environmental Medicine in Maryland, shared her findings on the lack of quality controls currently in the CBD marketplace and how product marketing is accelerating faster than the science used to substantiate claims of enhanced health and well-being. “We even trust McDonald’s to inform us of the number of calories in a Big Mac,” said Audino. “When it comes to cannabis, we are not afforded that same safety and assurance.”

James Werline, a pharmacist and the father of a daughter with a severe form of epilepsy, spoke to the promise and importance of CBD-related research. The only CBD medication currently approved by the FDA is used to prevent seizures caused by rare forms of childhood epilepsy. Angelique Lee-Rowley, Vice President, Global Chief Ethics and Compliance Officer at Greenwich Biosciences, discussed the importance of clinical research into new CBD treatments and shed light on the restrictions pharmaceutical companies have in educating consumers on product efficacy versus the retail and online marketers who have few boundaries in the claims they can make.

“We are on the verge of a major breakthrough,” said Rep. McMorris Rogers. “We want to be encouraging those breakthroughs. I am committed to helping with those developments.”

The briefing served to alert congressional staff to the seriousness of this issue. By 2022, the CBD marketplace is expected to reach $1.8 billion in sales, more than triple what it was just four years earlier. As the commerce expands, so do—without adequate consumer protections—the threats to health and safety.

Enough is enough! It’s time for the FTC to protect consumers from deceptive automatic renewal clauses

/in , , , , /by

Brian Young

If you’re like most Americans ,you have probably had a bad experience with an automatic renewal oras they are sometimes referred toa negative option clause. Regardless of the name they go by, these clauses cause contracts and subscriptions (ranging from equipment leases to gym memberships) to renew if a consumer fails to cancel the contract. Unfortunately for consumers, these clauses are increasingly being slipped into the fine print of contracts or misleadingly disclosed to customers during the checkout process.  

Some companies take this practice a step further by offering a free or low-fee trials to a customer only to later lock them into an expensive and lengthy contract without obtaining their informed consent. One survey found that this has happened to 59 percent of consumers, and that number appears to be growing. A Better Business Bureau study of FTC complaint data found that complaints about free trials doubled between 2015 and 2017. With the average loss rates for deceptive free trials reaching $186 per incident, it is clear that action is sorely needed.

While states like California and the District of Columbia have taken steps to protect their residents from these disreputable “gotcha” clauses, a majority of Americans still lack adequate protections. Some businesses will not only utilize deceptive negative option clauses, but also place unnecessary barriers in the cancelation process to prevent consumers from managing or canceling their subscriptions and contracts. Indeed, nearly 42 percent of Americans have complained about the difficulty companies have created  in the cancellation process.

Thankfully, the Federal Trade Commission (FTC) is finally considering improving consumer protections in this space. While the FTC already offers a few modest protections through laws and regulations like the Restore Online Shoppers Confidence Act (ROSCA), a series of loopholes exist, allowing companies to mask rate hikes, roll consumers into lengthy trials without their informed consent, and hide these clauses in the fine print.

To help encourage the FTC to require meaningful protections, NCL recently filed a comment letter urging the Commission to:

  • Require clear and conspicuous disclosure of any automatic renewal clause, regardless of where or how the consumer enters into it;
  • Require companies to provide meaningful notifications prior to any contract or subscription renewal;
  • Ensure that businesses receive a consumer’s consent for their free or low-fee trial to be rolled over into a contract; and
  • End the practice of businesses making it difficult for consumers to amend, manage, or cancel their subscription.

NCL believes that the FTC has a real opportunity to extend long overdue automatic renewal protections to all Americans. As more companies incorporate the use of negative option clauses in their contracts, consumers need meaningful notifications and protections that ensure that they remain in control of their financial decisions. A strong FTC negative option rule will ensure that businesses compete over quality and price, not over who can create the most painful cancellation procedures or earn the most revenue by slamming consumers with unexpected and costly contracts. The time is now for the FTC to act.

Read NCL’s full comment filing here (PDF).

How consumers must respond to the security threat inside nearly every computer

/in , , , , , , , /by

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

CBD is not the cure for whatever ails you

/in , , , /by

Unless you’ve been living under a rock, you’ve surely seen the dozens of ‘miraculous’ CBD products available today. Health food stores, pet supply stores, gas stations, and even your neighborhood pharmacy and grocery stores are carrying a plethora of CBD-infused products. CBD is included in everything from lotions and oils, beauty products, pet treats, and “tampons.” You can buy CBD-infused workout clothing and even take CBD yoga classes.

CBD, or cannabidiol, is a compound found in cannabis and derived from the hemp plant. After the passage of the Farm Bill, CBD is now legal and CBD products are marketed as having little or no THC, the primary psychoactive element in marijuana. However, under the bill, these products may lawfully contain as much as 0.3 percent THC, which is enough to produce intoxication or a positive result on a drug test, which has led to many workers unwittingly losing their jobs.

Sales of products containing CBD have exploded in recent years. In 2018, Americans purchased $500 million in products containing CBD. By 2022, that amount is expected to more than triple to reach $1.8 billion nationwide.

Consumers, take note! Illegal marketing of these products include unsubstantiated health claims as innocuous as offering “a higher sense of well-being” to the extreme claims of therapeutic benefits such as treating Alzheimer’s and Parkinson’s disease, schizophrenia, or AIDS. 

Our concern is that most CBD products on the shelves today fail to meet the safety standards we have come to expect:

  • Most have not been scientifically tested for safety and efficacy.
  • CBD product labels aren’t accurate in lists of ingredients and potency.
  • The purity and potency of ingredients in most CBD products have not been verified by reliable third parties.

Without these safeguards, consumers may be using these products or offering them to their children and pets with blindfolds on.

Exaggerated claims of unproven benefits are nothing new, but with the legalization of CBD, there’s a new explosion of untested products that demand attention from regulators. CBD could be key to the development of many new treatments and therapies. One indication is the success of the first FDA-approved drug containing CBD in controlling two types of rare, childhood-onset seizures. However, without better regulation and enforcement, unsafe dosages of CBD and the use of adulterated products make for a minefield of consumer caveat emptor.

Clinical studies have demonstrated potential risks of CBD, including liver toxicity, fatigue, and harmful interactions with other drugs. The Food and Drug Administration (FDA) has recently begun to take action. In October, it issued a strongly worded advisory discouraging pregnant and breastfeeding mothers from using CBD products. It also recently warned a Florida company that was illegally selling unapproved products containing CBD online with unsubstantiated claims that the products treat teething pain and earaches in infants, autism, attention-deficit/hyperactivity disorder (ADHD), among other conditions or diseases. We welcome that action by the FDA, and we want to see it doing more.

Advocates recognize the dangers for consumers and we are mobilizing. Earlier this month, National Consumers League (NCL) staff presented at a roundtable discussion of consumers and other partners about FDA’s authority to protect consumers via product testing and regulation of product marketing. The discussion allowed further sharing of information and identified opportunities to bring commonsense changes to the marketplace.

Consumers need access to good information about CBD, how to understand concentration levels in products, and the products’ risks. The FDA should take a more active role as a regulatory agency overseeing products that make health benefit claims. Our regulators should help consumers understand the difference between FDA-approved medicines and consumer products, including a definition of a safe level of CBD.

We welcome the potential that CBD has to offer new therapies and treatments, but the products in the marketplace must be safe and proven effective with hard science. NCL is committed to doing its part to help protect and educate consumers.

Computer chip defects force consumers to choose between speed and security

/in , , , , , , , , , , /by

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

If you care about cramped airline seats, you should care about the FAA’s evacuation tests

/in , , , , /by

Last month, I had the pleasure of testifying before the House Aviation Subcommittee on the implementation of the Federal Aviation Administration’s 2018 reauthorization bill. My testimony touched on many of the pressing consumer protection priorities for airline passengers teed up by the 2016 and 2018 FAA reauthorization bills. 

The big news coming out of that hearing, however, was FAA Deputy Administrator Daniel Elwell announcing that the FAA will this November conduct its first evacuation tests with live participants in two decades. While this may sound like the kind of announcement only politicos should care about, it’s actually a very big deal for anyone who flies 

Why is that, you may ask?  

FAA regulations require that the “maximum capacity” of an aircraft must be able to be evacuated in less than 90 seconds in an emergency. The analogy is to the “maximum capacity” signs you may have seen in conference rooms, hotels, or other public spaces. Since the 1990’s, airlines have gotten fuller, seats have gotten smaller, and more bags and support animals have been brought into the cabin. Despite these changes, FAA has not updated its evacuation standards and has been content to allow airlines to self-certify that they can meet the 90-second threshold, largely based on computer simulations. 

This all changed last July when Congress passed the 2018 FAA Reauthorization Act which requires FAA to set minimum seat size standards. That’s why Dan Elwell announced that the FAA will be conducting the tests in November. The airlines, which have been pulling down record profits in recent years as they’ve steadily crammed more butts into more and smaller seats, will almost certainly want the FAA to give its blessing that their sardine cans are safe.  

Unfortunately, the FAA seems intent on granting them their wish. The advisory committee it appointed to provide feedback on the evacuation standards is packed with industry insiders and hamstrung by its own charter from considering seat sizes and seat pitch (the room between seats) as part of its recommendations. The DOT’s Office of Inspector General has an ongoing audit of the evacuation standards, but there’s no indication that the FAA will wait on the results of that audit before it conducts its tests. 

We can’t let the FAA rubber stamp the airlines’ current inhumane and potentially unsafe seating configurations. That’s why NCL, along with a coalition of consumer and flyers rights groups this week sent a letter to the FAA and the DOT urging them to update their evacuation standards before the November tests. We’re calling on the agency to update its evacuation testing standards to account for things like the presence of passengers with disabilities, parents who are separated from their children (thanks in no small part to rising seat reservation fees), full overhead bins, and passengers who insist on taking their bags with them when they evacuate (or, even worse, filming themselves evacuating). These are all factors that are likely to slow down evacuations, but FAA’s evacuation testing standards don’t account for them. 

Updating evacuation testing standards may sound like wonky, inside-the-Beltway bureaucratese, but the consequences of not doing so could be deadly.

Why won’t New York’s governor Cuomo ban a nasty pesticide that harms children?

/in , , , , , , /by

Reid Maki is the director of child labor advocacy at the National Consumers League and he coordinates the Child Labor Coalition.

Something really curious is happening in New York State. In June, the New York Assembly passed a bill to ban the nasty pesticide chlorpyrifos, which damages the development of children. But that’s not the weird part.

What’s surprising is that Governor Andrew Cuomo has not signed the bill, despite the fact that the NY Attorney General Letitia James joined five other attorneys general in suing the Trump Administration’s federal Environmental Protection Agency because it overturned an Obama Administration ban on the pesticide.

“Chlorpyrifos is extremely dangerous, especially to the health of our children,” said Attorney General Letitia James. “Yet, the Trump Administration continues to ignore both the science and law, by allowing this toxic pesticide to contaminate food at unsafe levels. If the Trump EPA won’t do its job and protect the health and safety of New Yorkers, my office will take them to court and force them to fulfill their responsibilities.”

The other states that joined the suit are Washington, Maryland, Vermont, Massachusetts, and California—the latter is the country’s largest agricultural producer (measured by cash receipts) and has decided to remove chlorpyrifos from the market in 2020. 

Studies have also linked chlorpyrifos to autism, cancer, Parkinson’s disease, reduced IQ, loss of working memory, attention deficit disorders, and delayed motor development.

Nationally, home use was banned in 2001 because of its impact on children’s developing brains. In 2018, Hawaii became the first state to enact a complete ban on its use, which includes farms.

Chlorpyrifos is also thought to damage male reproductive organs to the point that it can make men sterile.

Since food safety authorities determined that there was no safe exposure level to chlorpyrifos—that any trace of the pesticide was too dangerous—the European Union is expected to ban entry of food products contaminated with the pesticide next year.

In August, the National Consumers League (NCL) and the Child Labor Coalition (CLC), which NCL co-chairs, joined 80+ groups—including many from New York—on a letter, urging Governor Cuomo to sign the chlorpyrifos ban. We were naïve enough to think he would.

With an avalanche of data suggesting it is too dangerous to use and his own attorney general suing over its use, why has Cuomo seemingly decided not to ban the pesticide? We can only guess. In July, the governor signed landmark legislation to protect farmworkers from labor abuses, ensure equitable housing and working conditions, and grant them collective bargaining, overtime pay, unemployment compensation and other benefits.

Farmworkers are some of the most exploited workers in America, and we applaud the governor for doing the right thing, but he seems to be taking the position that—having done something farm owners didn’t like—he shouldn’t sign the chlorpyrifos ban because they won’t like that either. The farmers see the pesticide as an effective tool to help them grow crops.

The problem is that chlorpyrifos doesn’t just harm those who eat farm produce; It harms the very people that produce crops—the farmers and the farmworkers and the children of both.

Should giving farmworker labor rights mean that it’s okay to endanger their fertility and cause their children to suffer developmental delays or autism? And from the farmers’ perspective, shouldn’t their children be protected from those afflictions? The governor shouldn’t be striving to protect some of the people some of the time, but should protect all of the people all of the time.

Reducing the mountain of waste on airplanes

/in , , , , , /by

On a flight to Idaho earlier this week, I brought my own coffee mug. My flight attendant was unexpectedly enthusiastic: “Anything that will help save the planet,” she said. I do not find this to be the case at Starbucks, where baristas insist on giving me a new plastic cup when I’m getting my iced tea, or at the Nespresso counter at Bloomingdales, which recently refused to serve me a coffee in my own cup. Reducing our personal footprint should be a big issue for all of us as we see the rapid pace of climate change and what it is doing to our beloved planet.  

At home, I can compost food scraps, choose to take public transportation, minimize food waste, and drive a hybrid car.  But it’s tough to do your part to conserve, reduce, reuse, and recycle and try to “save the planet,” as an airline passenger.  The New York Times reports that the average air passenger generates three pounds of waste in the form of plastic cups, the headphones, food left on plates, wrapping for snacks, and plastic cutlerymultiply that times 4 billion passengers a year, and it really adds up! 

Sixteen-year-old Swedish climate activist Greta Thunberg opted to sail to New York from Europe to avoid being part of the problem: emissions from airplanes.  

The International Air Transport Association (IATA), a trade group representing the airlines, estimated that planes generated 6.7 million tons of cabin waste last year. Another group that studied the waste found that it broke down as 33 percent food waste, 28 percent cardboard and paper, and 12 percent plastic.   

So, what are the airlines doing, and how can consumers be part of the solution? Well, airlines are under pressure to conserve precisely because consumers are demanding they do so, as the New York Times article reported.  Air France said it would eliminate 210 million singleuse plastic items like cups and coffee stirrers. Qantas has removed individually packaged servings of milk and Vegemite, and now serves meals in containers made from sugar cane, and utensils made from crop starch. Some United Airlines flights use “fully compostable or recyclable service ware.”  

Consumers can inquire about recycling products and demand changes in rigid rules on tossing out untouched food and drink, in place supposedly to protect agriculture. The trade group IATA estimates that these untouched items make up 20 percent of total airline waste. As reported by the New York Times, companies employed to help reduce airline waste are making dishes from pressed wheat bran and “sporks” from coconut palm wood. 

Asking the airlines what they are doing to reduce waste is a good start. Let’s press the airlines for answers andwhile we are it: what about hybrid or electric engines on planes? That is a topic we can explore another day. 

Protecting information privacy: challenges and opportunities in federal legislation

/in , , , , , , /by

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

On September 11, 2019, policymakers, industry stakeholders, and consumer advocates gathered at The Brookings Institution to discuss the pressing question of how to protect information privacy through federal legislation. Representing the National Consumers League was Executive Director, Sally Greenberg.

How did we get here?

To set the scene, panelists first discussed why there is consensus on the need for federal legislation to address privacy and data security. The Snowden revelations showed consumers how much of their data is out there, and they began to question whether companies could be trusted to keep their data safe from the government. More recently, in light of the Cambridge Analytica scandal and increasing instances of identity theft and fraud resulting from data breaches, consumers have begun to question whether companies themselves can be trusted with their data.

Businesses are worried about lack of consumer trust interfering with their adoption of digital products and services. For instance, parental refusal to provide consent to the collection and use of data regarding their kid’s academic performance prevents the personalization of their children’s learning experience. By providing individuals with greater privacy protections, businesses hope that individual participation in the digital economy will increase.

In response to consumer privacy concerns, a patchwork of state bills on privacy and data security are also popping up. Business claims to be overwhelmed by the idea of complying with these differing regulatory schemes, especially in light of the EU’s General Data Protection Regulation (GDPR), which has already moved many organizations to comply with privacy and data security rules. To support businesses and to regain U.S. privacy leadership, greater international operability is necessary.

What should federal legislation look like?

Each panelist set forth their idea of what federal legislation should aim to achieve. Intel drafted a privacy bill which includes various protections but which lacks a private right of action – that is, the ability to take wrongdoers to court if they violate privacy laws. If companies promise not to use your information in certain ways and then do it anyway, in violation of law, you should have the right to take them to court. NCL’s Sally Greenberg directed audience members towards the Public Interest Privacy Principles signed by thirty-four consumer advocacy and civil rights organizations. Advocating in favor of strong protections, strong enforcement, and preemption, and highlighting the importance of “baking data privacy into products and services”, she offered NCL’s vision of a strong, agile and adaptive national standard.

Panelists drew comparisons between this approach and that of the EU’s GDPR, but criticized the time-consuming and resource intensive nature of that legislation. They agreed that U.S. legislation should avoid being too prescriptive in the details. Rather than requiring documentation of policies, practices, and data flow maps, legislation should focus on high-level issues.

Breaking down these issues according to consensus and complexity, Cameron F. Kelly listed covered information, de-identification, data security, state enforcement, accountability, and FTC authority as solvable issues. Implementation issues, he said, include notice and transparency and individual rights (access, portability, right to object to processing, deletion, nondiscrimination). However, Mr. Kelly noted that disagreement clouds a number of complex issues. These relate to algorithmic transparency, algorithmic fairness, and data processing limitations (use restrictions). Until consensus is reached in these areas, disagreements about preemption and private right of action are unlikely to be resolvable.

Notice and Transparency 

While notice and transparency are important aspects of a comprehensive approach towards privacy and data security, it is difficult for consumers to process the volume of information contained in privacy policies. Consumers also often have little choice but to “agree” to services that are essential to everyday life. As such, legislators may wish to explore the extent to which a company may force an individual to waive their privacy rights as a condition of service. Consent should only have a limited role in relation to sensitive data uses, and companies should focus on designing user interfaces to enable meaningful consumer consent. Panelists criticized the California Consumer Protection Act (CCPA) for its lack of detail and for putting the burden on individuals to protect themselves. It was agreed that federal standards should move beyond notice-and-consent and put the burden back on businesses.

De-identification 

One panelist called de-identification the “secret sauce” to privacy. Preserving the utility of data while removing identification puts the focus on data processing harms. It is important to get de-identification right for valuable research purposes. However, de-identification is often not done well and confusion lurks around pseudonymization. This technique involves replacing personally identifiable information fields within a data record with artificial identifiers. As data remains identifiable using that technique, data security and privacy risks remain. Companies must be incentivized to effectively de-identify data, to not re-identify, and to contractually restrict downstream users from doing the same. To avoid conflating data security levels with pseudonymization levels, a universal and adaptable de-identification standard must be developed.

Data security 

Because data security is critical to privacy, panelists agreed that it is the foundation upon which privacy legislation should be built. Panelists warned against an overly prescriptive approach towards data security but suggested that the Federal Trade Commission (FTC) should offer more guidance. “Reasonable” data security depends upon the nature and scope of data collection and use. This affords organizations flexibility when adopting measures that make sense in terms of information sensitivity, context, and risk of harm.

However, determining data security standards according to the risk of privacy harm is difficult because “risk of privacy harm” is an unsettled and controversial concept. It was also debated whether “information sensitivity” should be used to determine the reasonableness of data security standards. Public Knowledge argued that all data should be protected in the same way because the distinction between sensitive and non-sensitive data is increasingly questionable. When data is aggregated and sophisticated technologies such as machine learning are applied, each and every data point can lead back to an identifiable person.

While use of off-the-shelf software should generally be considered reasonable, higher standards should apply to companies that are more aggressive in their data collection and use. Extending to third party processors and service providers, organizations must continually develop physical, technical, and legal safeguards. To ensure robust infrastructure to secure their data, they should run tests, impact assessments, and put resources towards data mapping.

Data processing limitations

In sectors ranging from education to healthcare, the use of data undoubtedly has the potential to help us solve many societal problems. However, data use is pervasive, and new and unpredictably bad outcomes are also possible. Consumers want data to be used in ways that benefit them, for data not to be used in ways that harm them, and for their data to be protected. However, information collection and sharing is largely unbounded. If Congress wishes to move beyond a notice-and-consent model and put the burden back on organizations that handle data, then the boundaries of how data should be collected, retained, used, and shared must be confronted. Without limitations, the high value of data will continue to incentivize organizations to collect and retain data for the sake of it. These practices increase cybersecurity and privacy risks on unforeseen levels.

Calling out data brokers, Intel’s David Hoffman stated that databases containing lists of rape victims are simply “unacceptable.” However, transfer restrictions are likely to be one of the hardest areas to reach consensus on. Use restrictions, which relate to what organizations can and cannot do with data at a granular level, may be approached by creating presumptively allowed and presumptively prohibited lists. Use and sharing could be presumptively allowed for responsible advertising, legal process and compliance, data security and safety, authentication, product recalls, research purposes, and the fulfillment of product and service requests. Meanwhile, use of data for eligibility determinations, committing fraud or stalking, or for unreasonable practices could be presumptively prohibited.

However, it is difficult to determine the standards by which a particular data use should be “green-lighted” or “red-lighted.” To determine if a data use is for a purpose related to that which a user originally shared data, factors may be considered such as whether the use is primary or secondary, how far down the chain of vendors processing occurs, and whether the processor has a direct or indirect relationship with the data subject. The FTC has done work to articulate “unreasonable” data processing and sharing, and the Center for Democracy and Technology’s Consumer Bill of Rights emphasizes respect for context (user expectations) by laying out applicable factors such as consumer privacy risk and information sensitivity.

However, “context” is difficult to operationalize. One option may be to grant the FTC rulemaking authority to determine issues such as which data uses are per se unfair, or which information is sensitive. The deception and unfairness standard has guided the FTC for decades. However, panelists were concerned about giving the FTC a blank check to use the abusiveness standard to deal with data abuses. Instead, the FTC could be given a clear set of instructions in the form of FTC guidance, legislative preamble, or written in detail in the legislation. If this approach is taken, it would be necessary to confront the difficult question of what harm legislation should seek to address. Because privacy injury is not clear or quantifiable, it is difficult to agree on the appropriate harm standard. A specific list of the types of injury – not an exhaustive list – resulting from data processing would give the harm standard substance, and algorithmic data processing ought to be directly confronted.

Because the purpose of data analysis is to draw differences and to make distinctions, the privacy debate cannot be separated from the discrimination debate. Intent to engage in prohibited discrimination is difficult to prove, especially with use of proxies. For instance, rather than directly using a protected characteristic such as racial heritage as a proxy to offer payday loans, an algorithm could use zip code or music taste as a proxy for race in order to decide who to advertise payday loans to. To provide clarity and to promote algorithmic fairness, existing discrimination laws could be augmented with privacy legislation by defining unfair discrimination according to disparate impact on protected classes (disadvantaged groups). Privacy legislation should ensure that data use does not contribute to prohibited discrimination by requiring risk assessments and outcome monitoring.

To increase consumer trust and to provide them with recourse when they suspect that they are the victims of unfair discrimination, legislation should directly confront algorithmic transparency and burden of proof. Consumers cannot be expected to understand the mechanisms that determine what advertisements they are presented with or how automatic decisions are made about them. However, organizations should not be able to escape liability by claiming that they do not have access to the data or algorithm necessary to prove discrimination claims.

Enforcement

Panelists agreed that State Attorney Generals need to be able to enforce the law and that the FTC requires increased resources and enforcement powers. As Congress cannot anticipate every possible scenario, it is appropriate to give the FTC narrow rulemaking authority, the authority to fine for first offences, to be able to approve codes of conduct, and to clarify guidance on how to comply with the law on issues such as de-identification. The FTC needs vastly more resources to be able to accomplish this oversight and enforcement role. The jury is out as to whether Congress will pony up.

Sally Greenberg described the importance of also including an option for private parties to bring class-action suits. However, there was disagreement between panelists about whether individuals should be able to privately enforce their rights where the government lacks the resources or will to act. David Hoffman highlighted evidentiary problems associated with the difficulty in proving privacy harms. To better serve the public, he argued in favor of the creation of a uniform standard with strong protections.

Preemption of state laws 

The objective of creating a consistent federal standard was emphasized as a key driving factor for industry for the creation of a federal bill. Not including preemption of state law is a kind of “deal-breaker” for industry. They claim that complying with a patchwork of fifty different data breach notification standards is hard today. It was suggested that states could be given a window of five years with no preemption to allow them to adapt and innovate, after which time the situation could be reviewed. Or the reverse – preempt for five years and sunset the federal law. These suggestions both have merit, but in the end, answering the questions of preemption and private right of action remain to be seen.

I’m going for the kids’ portion!

/in , , , , , , /by

With overweight and obesity stats in an upward trajectory, the National Consumers League and the Georgetown School of Business are partnering up for a survey on a simple topic: what do Americans know about portion sizes, calories of average foods, and how many calories we can eat each day without packing on the pounds? 

We have a health crisis in AmericaFrom 2015-2016, 39.8 percent of American adults were considered obesewhich means the body mass index (BMI) measurements of more than 129 million of us are considered obeseThe annual medical cost of obesity is estimated at $147 billion because heart disease, stroke, type 2 diabetes, and cancers are tied to obesity. What is particularly concerning is that more than a third of younger people, ages 20-39, are obese.  

In fact, the New York Times reported that roughly a fifth of our soldiers are obese! The military is trying to combat this problem by replacing sweet drinks with water and cutting out fried foods, but it’s not working. 

The United States Department of Agriculture’s Dietary Guidelines recommend that the average person should consume about 2,000 calories a day. Do most of us know that if you exceed 2,000 calories day regularly, you pack on the pounds? (That’s unless, of course, you’re getting a lot of calorieburning exercise or have a great metabolism.) Is that number too high for many of us? (It is for me. If I eat more than 1,650 calories, I know I’m going to put on weight.That’s what we want to find out with our research: what do Americans really know about this guideline? 

We will also be asking whether most Americans know how many calories are in average serving of common foods such as yogurt (150), hamburgers with bun (350), pizza (350 per slice), bagels (325), muffins (425), 4-piece fried chicken dinner with all the fixings (850-1,200), a 30oz. steak (1,400), a piece of cheesecake (650)big chocolate chip cookie (450)and an ice cream cone (300-400.) 

Also, dAmericans know what an average serving is? A Cheesecake Factory salad is not an average serving! Each of their salads have more than 1,300 calories. That’s too much for one meal. Unfortunately, restaurant serving sizes have increased a lot over the last several decades. 

Which brings me back to my headlinekids portions! I’ve begun sampling my local downtown DC upscale food spots popular with millennials like Roti, CAVAChoptThe custom is that you order a bowl of lettuce or spinach as a base and put lots of pretty healthy but also pretty caloric toppingsadd a protein for a few bucks extra, and crowned with shredded cheese and salad dressing. When you’re done, you have a big portion and lots of good food but also lots of caloriesalbeit not from hamburger and fries but still, calories! 

So try the kids’ portion! They are cheaper by a thirda lot less food, a lot fewer calories, and completely filling. My CAVA kids meal had a small white bread (unfortunately) pita, yogurt spread, two small spicy meatballs, cucumber salad, tomato salad, three pieces of fried breadand scoop of brown rice. In other words, a lot of food! I figured it was about 550 calories. Voila! A third of my 1,650 allowable daily intake of food. And I was stuffed. I’ll be trying other food outlets to check out the kids portions. And we recommend that other consumers do the samehelps to limit calories and prevent food waste when you’re eating out!