In the decade since amendments to the landmark Americans with Disabilities Act (ADA) took effect, businesses across all industries have confronted constant legal challenges concerning workplace and retail premises access, as well as complaints about online accommodations for people whose vision and hearing are impaired. The landmark legislation, first adopted in 1990 as a terrifically complicated 275-page treatise, has since expanded to an almost unimaginable scope and now addresses disability rights in everything from addiction rehabilitation services to biomedical research in space.
Manatt partner Donald Brown has been counseling clients on compliance and litigating accessibility disputes for more than two decades. He has advised retailers, banks, media companies and a host of other clients regarding compliance with the ADA, the Fair Housing Act and multiple statesâ disability access laws. Donald helped formulate ADA solutions for companies that were facing some of the earliest claims involving interactive media and media streaming. He has deep and varied experience helping clients resolve access issues in retail, housing, lodging and health plan benefits, with respect to both online and on-premises compliance. As ADA litigation continues to be a major concern for retailers, Donald is available to defend disability access lawsuits and advise retailers on how to navigate and resolve prelitigation demands and federal and state government investigations.
Learn more about Donaldâs background here.
Exit inspections conducted as retail employees of Nike leave the store may need to be compensated, the U.S. Court of Appeals for the Ninth Circuit determined in a class action, applying the California Supreme Courtâs recent decision inÂ Troester v. Starbucks Corp.
At each of Nikeâs 34 retail stores in California, employees are required to submit to exit inspections each time they leave the store on a break or at the end of the day. The inspections vary in the time involved, based on factors such as whether the employee needs to wait at the exit for someone to check them and whether the employee is carrying a bag or box that must be inspected.
The inspections take place off the clock and are uncompensated, as they occur after the employee punches out.
After working at a Nike store for a few months, Isaac Rodriguez filed a class action lawsuit seeking compensation for the inspection time. A district court certified a class of retail store employees dating back six years.
Nike moved for summary judgment, arguing that Rodriguezâs claims were barred by the federal de minimis doctrine, which precludes recovery for otherwise compensable amounts of time that are small, irregular or administratively difficult to record. The employer put forth expert testimony that 92 percent of the inspections took less than a minute and 97 percent took less than two minutes.
The plaintiff challenged the expertâs conclusions and countered with deposition testimony from Nike store managers who said that exit inspections regularly took several minutes. Rodriguez also noted that the question of whether the federal de minimis doctrine applied to California Labor Code claims was then pending before the stateâs highest court inÂ Troester.
Declining to stay the dispute pending the California Supreme Courtâs decision, the district court applied the de minimis doctrine and granted Nikeâs motion for summary judgment.
Rodriguez appealed to the Ninth Circuit. In the interim,Â theÂ TroesterÂ decision was issued. Based onÂ Troester, summary judgment in favor of Nike had to be reversed, the federal appellate panel found.
âThe issue on appeal is straightforward: did the District Court err in granting summary judgment for Nike based on the federal de minimis doctrine?â the court wrote. âThe answer, afterÂ Troester, is equally clear: the federal de minimis doctrine does not apply to wage and hour claims brought under the California Labor Code. By applying the doctrine to Rodriguezâs claims, the District Court failedâunderstandably, given the legal landscape at the timeâto âappl[y] the relevant substantive law.ââ
In its decision, the district court relied on several premises thatÂ TroesterÂ explicitly rejected, the Ninth Circuit said, repeatedly invoking the federal doctrineâs ten-minute daily threshold for determining whether amounts of uncompensated time are de minimis.Â Troestermade clear, however, that the ten-minute threshold is inconsistent with California labor laws, under which âan employee must be paid for âall hours workedâ or â[a]ny workâ beyond eight hours a day.â
While Nike conceded the district court applied the wrong legal standard, it argued that summary judgment remained appropriate because the exit inspections were de minimisâeven underÂ Troester. The California Supreme Court left open âwhether there are circumstances where compensable time is so minute or irregular that it is unreasonable to expect the time to be recorded,â Nike pointed out.
WhileÂ TroesterÂ rejected the de minimis defense as applied to a matter of minutes worked off the clock, Nike contended that its expert found most of the exit inspections took seconds.
But the Ninth Circuit was not persuaded.
âTo the extent Nike urges us to interpretÂ TroesterÂ as replacing the federal de minimis doctrineâs 10-minute daily threshold with a state-law 60-second analogue, we hereby decline to do so,â the court wrote. âNot only would this interpretation read far too much intoÂ TroesterÂ passing mention of âminutes,â but it would clash withÂ TroesterÂ reasoning, which emphasized the requirement under California labor laws that âemployee[s] must be paid for all hours worked or any work beyond eight hours a day.ââ
The Ninth Circuit doubted thatÂ TroesterÂ would have been decided differently if the closing tasks at issue had taken only 59 seconds per day.
âInstead, we understand the rule inÂ TroesterÂ as mandating compensation where employees are regularly required to work off the clock for more than âminuteâ or âbriefâ periods of time,â the court said. âThis rule does not require employers to âaccount for â[s]plit-second absurdities,â and it might not apply in cases where work is so âirregular that it is unreasonable to expect the time to be recorded.â But where employees are required to work for more than trifling amounts of time âon a regular basis or as a regular feature of the job,âÂ TroesterÂ precludes an employer from raising a de minimis defense under California law.â
Applying this understanding to Rodriguezâs claims, the court reversed summary judgment in favor of Nike. The evidence before the court established that the exit inspections took between âzero seconds and several minutesâ and that employees frequently exited multiple times per day.
âGiven this evidence, we cannot conclude that exit inspections qualify as âsplit-second absurdities,ââ the Ninth Circuit wrote. âNor do they appear so âirregular that it is unreasonable to expect the time to be recorded.â Even according to [Nikeâs] study, the vast majority of inspections took measurable amounts of time, and there is a genuine dispute between the parties as to whether these amounts were more than âminute,â âbrief,â or âtrifling.ââ
To read the opinion inÂ Rodriguez v. Nike Retail Services, Inc., clickÂ here.
Why it matters:Â The Ninth Circuitâs decision demonstrates the impact of the California Supreme CourtâsÂ TroesterÂ decision. The federal appellate panel rejected the employerâs attempt to establish a state de minimis analogue, remanding the case for consideration of whether the time spent by Nike employees in exit inspections was âmore than trifling.â
On Monday, July 22, the U.S. Food and Drug Administration (FDA) took a rare and significant step in issuing a warning letter to Curaleaf Holdings, Inc. (Curaleaf), one of the countryâs larger producers of CBD-based products, regarding Curaleafâs marketing of its CBD-based products for the treatment of diseases and other health concerns. The FDA has generally taken a passive approach to enforcement of industrial hemp-derived CBD products, which have flooded the market since the passage of the Agricultural Improvement Act of 2018 (also known as the 2018 Farm Bill) in December 2018âmaking hemp-derived CBD production and interstate commerce explicitly lawful under federal law as long as compliantÂ with the requirements thereunder. In fact, this marks only the fourth warning letter issued by the FDA to a CBD products manufacturer and the only such warning letter issued by the FDA since October 31, 2017.
The letter notes that certain Curaleaf products are unapproved âdrugsâ within the meaning of the Federal Food, Drug, and Cosmetic Act, because the products are intended for use in the âdiagnosis, cure, mitigation, treatment, or prevention or disease and/or intended to affect the structure or any function of the body.â In making this determination, the FDA took issue with the following health claims:
According to the warning letter, the majority of these statements were pulled from Curaleafâs website and social media pages.
Although the Curaleaf warning letter did not go so far as to say that retailers carrying Curaleaf products should cease doing so until Curaleaf meets the FDA requirements, one of the countryâs largest retail and drugstore chains responded by immediately removing all Curaleaf products from its shelvesâincluding lotions and transdermal patches which fell outside the FDA warning. Such a move by the chain signals its desire to partner only with fully legally compliant suppliers.
The FDA warning letter to Curaleaf underscores the need for all those in the industrial hemp supply chainâfrom cultivation to manufacturing to packaging and marketing to distribution to retailersâto understand the laws applicable to CBD commercial operations and to implement robust compliance programs that meet those laws.
Current federal law expressly permits hemp-derived CBD products that are compliant with the federal restrictions for THC content (0.3%), subject to state law restrictions. However, such products are still subject to other federal laws, including the Federal Food, Drug, and Cosmetic Act. The act requires that any product designed for use as a drug be subjected to the FDAâs drug approval process before the product may be distributed. In addition, FDA has taken the position that CBD may not be used in products designed for human or animal consumption, or in dietary supplements, prior to FDA approval for such use.
However, to date, enforcement of this policy has been inconsistent. In addition, some states have adopted legislation directly contradicting the federal prohibition of CBD use in food and dietary supplements, further muddying the legal framework for CBD products.
Until the FDA adopts a different policy, CBD product manufacturers, marketers, distributers and retailers engaging in interstate commercial activities should refrain from selling hemp-derived CBD food products or dietary supplements (including food and supplements for animals) or any CBD product that makes a health claim.
The FDAâs letter is available here:Â https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/curaleaf-inc-579289-07222019
The U.K. Information Commissionerâs Office (ICO) announced headline grabbing proposed fines against British Airways and Marriott International, Inc. for alleged violations of the EUâs General Data Protection Regulation (GDPR).
Why it matters:Â The ICOâs proposed fines illustrate the authority it intends to wield with respect to enforcing the GDPR. Just over one year since the GDPR went into effect (May 25, 2018), the ICO is making a statement against iconic British and American brands, and its actions underscore the need for incorporating privacy and security into M&A due diligence processes as well as everyday business operations. The proposed fines are a reminder that regulators in certain jurisdictions have been granted significant authority under comprehensive data protection legislation being adopted globally, including under the California Consumer Privacy Act. It remains to be seen whether the companies can reduce the proposed fines through substantive arguments, such as British Airwaysâ apparent intent to argue that no persons were harmed by the security matter, or Marriottâs ability to demonstrate that it exercised reasonable due diligence prior to acquiring Starwood. Â
What happened:Â First, on July 8, 2019, the ICOÂ announcedÂ its intention to fine British Airways ÂŁ183.4 million ($230 million) in connection with a 2018 cybersecurity matter. The fine would amount to approximately 1.5% of the companyâs 2017 annual revenue. It is the largest penalty announced to date for alleged GDPR violations. British Airways intends to dispute the ICOâs findings and fine, citing that it found no evidence of fraudulent activity on compromised accounts.
British Airways notified the ICO in September 2018 about the attack, which the ICO alleges began in June 2018 through British Airwaysâ website and mobile applications and compromised the protected data of nearly 500,000 customers. Specifically, the ICOâs investigation alleges that customer names, addresses, login credentials, payment card information and travel booking details were compromised. The ICO alleges that the breach was due to British Airwaysâ ineffective security practices but did not publicly release detailed investigative findings.
Second, on July 9, 2019, Marriott announced in aÂ filingÂ with the U.S. Securities and Exchange Commission that the ICO intends to fine it ÂŁ99.2 million ($123 million) for GDPR violations related to a cybersecurity matter involving the guest reservation database it acquired from the Starwood hotels group in 2016. The fine represents nearly 3% of Marriottâs annual global revenue reported in 2018. Marriott also intends to dispute the ICOâs findings and fine.
The ICOÂ confirmedÂ the proposed fine, explaining that following Marriottâs notification in November 2018, the ICO conducted an investigation. Its investigation allegedly found vulnerabilities within Starwoodâs guest reservation database that allegedly compromised protected data of up to approximately 339 million customers, including 7 million U.K. residents and 23 million residents of other EU countries. According to Marriottâs security incidentÂ notice, the Starwood guest profiles allegedly were compromised starting in 2014 until Marriott discovered the vulnerability in September 2018. The protected data included customer names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, loyalty program information, travel booking details and encrypted payment card information. The ICO alleges that Marriott (i) failed to exercise sufficient due diligence by not assessing the protected data and security controls it was acquiring from Starwood; and (ii) should have done more to secure the Starwood systems after integrating the two companies. In this matter also, the ICO has not publicly released any detailed investigative findings.
Under Article 32 of the GDPR, data controllers and processors are required to implement appropriate technical and administrative controls, policies and procedures to protect personal information of EU residents and âensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,â among other things. Article 32 allows companies to take a risk-based approach, without prescribing specific security requirements. The often discussed and feared Article 33 requires companies to report breaches within 72 hours of discovery and can result in fines as great as 4% of the companyâs annual revenue.
Despite citing British Airwaysâ and Marriottâs cooperation and subsequent security enhancements, the ICO, serving as the lead supervisory authority on behalf of other EU member state data protection authorities (DPAs), announced the two fines in consultation with other DPAs. The DPAs whose residents allegedly have been affected will have an opportunity to comment on the ICOâs findings. Additionally, prior to finalizing its decision, the ICO will provide British Airways and Marriott with the opportunity to respond. Again, both companies plan to contest the ICOâs findings and penalties.
The Federal Trade Commission (FTC) and Food and Drug Administration (FDA) sent warning letters to four companies that manufacture and market flavored e-cigarettes, expressing concern about their influencer marketing practices on social media.
The agencies stated that posts on sites including Facebook, Instagram, and Twitter by influencers touting the products of Solace Vapor, Hype City Vapors, Humble Juice Co., and Artist Liquid Labs failed to include warnings that their products contain nicotine, an addictive chemical.
The FDA explained that the e-liquids are misbranded in violation of the Food, Drug, and Cosmetic Act because the influencersâ posts about these products did not include the required warning statement: âWARNING: This product contains nicotine. Nicotine is an addictive chemical.â
Adding to the companiesâ problems, the FTC warned that the failure to disclose material health or safety risks in the influencersâ posts raises concerns that these posts could be unfair or likely to mislead consumers, in violation of the FTC Actâs prohibition on unfair or deceptive acts or practices.
In the warning letter to Solace Vapor, the agencies provided the example of a vaper with 1.7 million Instagram followers who promoted Solace Vapor products with at least six posts between October 2018 and April 2019 but never included a warning that the products contain nicotine. One post read, âStart your day off right with solacevapor sea salt blueberry salt water taffy and tart blueberry flavors, refreshing your mind and thoughts,â with no disclosures or warnings.
The FTC also expressed concerns about the lack of clear and conspicuous disclosure of the material connection between the influencers and the companies, and reiterated the FTCâs guidance provided in theÂ Endorsement Guides and subsequent publications on this topic.
The FDA gave the companies 15 working days to respond to the FDA-related violations describing what actions they planned to take to address the concerns raised in the letters. The FTC did not require such a written response, but urged the companies to review their marketing, including influencer endorsements, to ensure that appropriate disclosures are made.
To read the warning letters, clickÂ here.
Why it matters:Â These warning letters show that the FTC and now the FDA are actively monitoring influencer activity on social media and going after companies that they think are violating the law. In addition to the specific nicotine warning requirement under the FD&C Act, it is important to note that the FTC Act also requires disclosure of material health or safety risks in social media advertising. Additionally, these warning letters serve as another reminder that companies that engage in social media marketing would be well-served to review their influencer marketing practices and implement a written policy to ensure that necessary disclosures of material connections are made in compliance with the FTCâs Endorsement Guides.
Are assessments from the credit card networks damages that a merchant should be liable for under its merchant agreement? The U.S. Court of Appeals for the Sixth Circuit affirmed a multimillion-dollar judgment in favor of the merchant, based on the language of its particular merchant agreement.
Specâs Family Partners, the operator of dozens of liquor stores across Texas, was the victim of attacks on its network through which attackers installed malware and accessed card data. A forensics investigation revealed that at the time of the hacking incident, Specâs was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, Visa and Mastercard issued assessments and passed along issuer reimbursements to the acquiring bank resulting from the security incidents.
The bank in turn debited the money from First Data, the merchant processor for Specâs. First Data then demanded reimbursement from Specâs, by withholding the proceeds of the daily settlement for its card transactions and placing them in a reserve account. The reserve eventually totaled $6.2 million.
Consistent with most merchant agreements, Specâs indemnified First Data for any material breach of its representations, warranties and agreements, as well as for any act or omission that violated card network rules. However, relying on a provision in its merchant agreement that excluded liability for consequential damages, Specâs alleged that First Data could not withhold the funds. On cross motions for summary judgment, a Tennessee federal court sided with Specâs.
The district court held that the card brand assessments constituted consequential damages, eliminating liability for Specâs under the contract. Discounting an alternative theory of liability put forth by First Data, the court further held that the merchantâs liability for âthird-party fees and chargesâ applied to routine charges related to payment processing, not this type of special assessment. The court reasoned that because Specâs was not liable for the assessment it was not in breach of the agreement, although First Data materially breached the contract when it seized settlement funds to reimburse itself for the card brand assessments, the court held.
First Data appealed. In an unpublished opinion, the Sixth Circuit affirmed.
The federal appellate panel first addressed the indemnification and limitation clauses in the contract. Specâs agreed to indemnify First Data, Visa and Mastercard from and against âany and all claims, demands, losses, costs, liabilities, damages, judgments or expenses arising out of or relating to (i) any material breach by [Specâs] of its representations, warranties or agreements under this Agreement; [or] (ii) any act or omission by [Specâs] that violates âŚ any operating rules or regulations of Visa or Mastercard.â
But, the section also contained limitations. It provided that â[i]n no event shall either partyâs liability of any kind to the other hereunder include any special, indirect, incidental or consequential losses or damages, even if such party shall have been advised of the possibility of such potential loss or damage.â
Specâs insisted that the card network assessments passed down to First Data constituted consequential damages, exempting it from liability based on the above exclusion. The court agreed, explaining that âconsequential damages,â also referred to as âspecial damagesâ by Tennessee courts, are the natural consequences of the act complained of, though not the necessary result.
âHere, the assessments fit comfortably within Tennesseeâs classic consequential, or âspecial,â damages formulation,â the panel wrote. âThe data breaches, resulting reimbursement to cardholders and levying of assessments, thoughÂ naturalÂ results of Specâs PCI DSS non-compliance, did notÂ necessarilyÂ follow from it.â
As Specâs pointed out, a non-compliant merchant might never suffer a data security breach, the court said, and the card brands exercise discretion in issuing assessments, failing to levy them in every situation and never for PCI DSS non-compliance alone, in the absence of a security breach.
âThough certainly a foreseeable consequence of weak data security, the issuance of assessments nevertheless constitutes consequential damages because it did not necessarily follow from Specâs Familyâs non-compliance,â the court said. âThus, First Data retains liability for the assessments under section 15(d) of the Merchant Agreement.â
The panel rejected First Dataâs argument that an unbroken line connected Specâs data security non-compliance and liability for the assessments, reiterating that the card brands exercise âconsiderable discretionâ in imposing assessments following a breach, reducing and waiving assessments in some cases.
Nor was the court persuaded by the fact that Visa assessed Specâs a separate $10,000 fine for PCI DSS non-compliance. âVisa issued that fine solely for non-compliance and regardless of the criminal attack, thus distinguishing it from the assessments,â the court said.
First Data also presented an alternative argument for liability based on a different section of the merchant agreement. However, the panel again sided with Specâs. The clause required Specâs to pay âany and all third-party fees and charges associated with the use of [First Dataâs] services, as modified from time to time, including without limitation all telecommunications costs âŚ and all Network fees and charges.â
First Data contended that âthird-party fees and chargesâ include the assessments. However, the court noted the prefatory phrase âassociated with the use of [First Dataâs] servicesâ and ruled that the PCI and data breach assessments are not associated with First Dataâs processing services, but rather relate to reimbursement for liabilities passed down the payment card chain, the panel said. Unlike the telecommunications costs and network fees, which are specific examples of pass-through fees listed in the clause, âthe assessments constitute unique, one-off liabilities that the parties do not âmodif[y] from time to time.ââ
The U.S. Court of Appeals, Eighth Circuit, in a 2017 decision also stemming from a merchantâs data breach, similarly held that damages from card network assessments sought by the merchant processor First Data were subject to the cap on liability contained in the merchantâs agreement. Also evaluating a limitation of liability clause, that court considered whether the card network assessments fell into the broad category of âfees, fines or penaltiesâ for which the merchant would have been subject to a higher liability cap. Again holding in favor of the merchant, the court determined that the assessments (issuer reimbursements) were compensation for an injury, but not fees, fines or penalties based on the plain meaning of those terms.
Finding that Specâs was not liable for the assessments, the appellate panel affirmed that First Data was the first to materially breach the contract by withholding settlement funds owed to Specâs. Specâs PCI DSS non-compliance was an immaterial breach, the Sixth Circuit wrote, as it fell short of âsubstantially defeat[ing] the contractâs purpose.â
The parties continued to perform under the merchant agreement after the security breach, demonstrating that even First Data did not consider the lack of PCI compliance vital to the existence of the contract, the court noted. âPCI DSS compliance served as a promise peripheral to the central benefit First Data expected â payment for its processing services,â the panel wrote. âMoreover, following the attacks, Specâs investigated the breaches and took several steps to achieve full PCI DSS compliance, including segmenting off its payment card server and upping the account data encryption level.â
On the other hand, First Dataâs withholding of the settlement funds âdeprived Specâs of its principal expected benefit under the contractâFirst Dataâs faithful execution of processing services.â
The Sixth Circuit affirmed summary judgment in favor of Specâs, along with an order to refund the money in the reserve account, plus interest.
To read the opinion inÂ Specâs Family Partners v. First Data Merchant Services, LLC, clickÂ here.
Why it matters
The decision is a victory for Specâs, and combined with a consistent ruling by the Eighth Circuit, these cases may provide favorable authority for other merchants whose agreements, whether with First Data or another processor, contain a similar limitation of liability clause. The most important takeaway for merchants, however, is that contract language matters, and careful review and negotiation of the merchant agreement could have a meaningful positive impact on the merchant.
Nectar Sleep LLC should discontinue âlimited offerâ advertising claims for its Nectar mattress, the National Advertising Division (NAD) recommended in a challenge brought by competitor Tuft & Needle.
In retail, online and social media advertising, Nectar promoted its mattress with the claim âLIMITED OFFER: $125 OFF + 2 Free Pillows.â The challenger argued that the claim was misleading because it offered a price comparison to a fictitious former price, with no indication that the Nectar mattress had ever been sold at a higher price.
Further, Nectar doesnât offer the pillows for sale, Tuft & Needle told the NAD. If a user tries to purchase a pillow, she is directed to a page showing the item is âout of stock.â
Nectar responded that its mattresses were offered at the regular price for âa substantial period of timeâ and that while its pillows may have been out of stock for some limited period of time, it has offered them for sale in the past and continues to do so.
The NAD noted the case was initially referred to the Federal Trade Commission (FTC) after Nectar failed to provide a substantive response. Following the referral, the advertiser returned to the NAD and agreed to participate in the self-regulatory forum.
Reviewing the claim, the NAD emphasized that advertisers must communicate the price of a sale item and ensure that the promised savings are real. The decision reminded advertisers of the FTC Guides Against Deceptive Pricing, which make clear that the use of a fictitious former price as a point of comparison constitutes false advertising.
âBased on the evidence in the record, NAD determined that the âLIMITED OFFER: $125 Offâ claim was misleading to consumers,â the NAD wrote. âThe advertiser did not provide NAD with any evidence about its previous advertising for its mattresses or pillows. Indeed, despite the advertiserâs representations to the contrary, it does not appear that the Nectar mattresses were ever offered for sale at the âregularâ price prominently displayed on its website or in its retail advertising.â
As for the pillows, the self-regulatory body found the statement misleading for similar reasons, as the advertiser provided no evidence that the â2 Free Pillowsâ offer had been made available to consumers even for a limited amount of time.
The NAD recommended that the advertiser discontinue the challenged claim.
To read the NADâs press release about the case, clickÂ here.
Why it matters:Â Advertisers would be well served to review their pricing claims, as challenges to deceptive pricing are popping up not only before the NAD but in courts across the country. Fossil Group recentlyÂ paid $4.5 millionÂ to settle a deceptive pricing suit, while earlier this year,Â a California appellate panel ruledÂ that a state statute was not unconstitutionally vague on its face or as applied to national retailers accused of deceptive pricing.