D’ART OF WAR: Family Favorite Food Supplier Prepares For TCPA Battle.
Hey TCPAWorld!
Things are heating up as we’re less than two weeks away from one-to-one consent starting January 27, 2025.
With that being said, the TCPA complaint we’re covering this week includes a familiar name. D’Artagnan Inc., renowned for its gourmet food, has recently become the target of a TCPA lawsuit. Ariane Daguin, its CEO and founder, has revolutionized the culinary world as a female chef and entrepreneur, championing high-quality and ethically sourced ingredients since 1985. While its reputation for quality endures, the gourmet food giant now finds its telemarketing operations tested at the forefront of a TCPA dispute.
In MCGONIGLE v. D’ARTAGNAN, INC., No. 1:25-CV-00052 (E.D. Va. Jan. 11, 2025), McGonigle (“Plaintiff”) alleges that even though Plaintiff has been listed on the National Do-Not-Call Registry (“DNCR”) for over 10 years, D’artagnan, Inc. (“Defendant”) delivered at least eight telemarketing text messages to Plaintiff’s residential number, on at least seven separate days in September 2024. One example reads:
D’Artagnan: Don’t miss out! Enjoy $15 flat rate shipping + 10% OFF on all orders. Sale ends tonight. Shop now: https://dartagnan.attn.tv/agwvswGzqaA7
Id. at ¶ 13. Due to these accusations, Plaintiff filed a Complaint in the Eastern District of Virginia alleging Defendant violated the DNC provisions, 47 U.S.C. 227(c)(5) and 47 C.F.R. § 64.1200(c), by delivering telemarketing messages to Plaintiff, while Plaintiff was listed on the DNCR.
Plaintiff seeks to represent the following class:
All persons throughout the United States (1) who did not provide their telephone number to D’Artagnan, Inc., (2) to whom D’Artagnan, Inc. delivered, or caused to be delivered, more than one voice message or text message within a 12-month period, promoting D’Artagnan, Inc. goods or services, (3) where the person’s residential or cellular telephone number had been registered with the National Do Not Call Registry for at least thirty days before D’Artagnan, Inc. delivered, or caused to be delivered, at least two of the voice messages or text messages within the 12-month period, (4) within four years preceding the date of this complaint and through the date of class certification.
Id. at ¶ 21.
Frequently Asked Questions About the New Jersey Data Protection Act, Effective January 15, 2025
The New Jersey Data Protection Act (NJDPA), N.J. Stat. § 56:8-166.4 et seq., will go into effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
The Garden State’s Division of Consumer Affairs Cyber Fraud Unit recently posted answers to twenty-four frequently asked questions (FAQs) that offer a comprehensive summary of the law, outline definitions, and explain consumer rights and business responsibilities.
Quick Hits
The New Jersey Data Protection Act (NJDPA) takes effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
The NJDPA defines a “consumer” as a New Jersey resident acting in an individual or household context, excluding those acting in commercial or employment contexts.
The New Jersey Division of Consumer Affairs will provide a grace period for enforcement of the NJDPA until July 1, 2026.
Our prior article laid out the obligations the statute entails and the relatively small universe of companies that are covered under the NJDPA. (The statute does not have a specific title, and as a result, it has been referred to in different publications by various names, such as the “New Jersey Data Protection Act,” the “New Jersey Data Privacy Act,” or the “New Jersey Data Privacy Law.”) The FAQs offer some insight and further clarification as to the scope and application of the law.
Who Is a ‘Consumer’ Under the NJDPA?
The FAQs state an important distinction regarding the scope of the NJDPL, namely, that the NJDPL does not cover employment records. In the statute, “consumer” is defined as a person who is a New Jersey resident acting only in an individual or household context. In contrast, the definition of consumer does not include a person acting in a commercial or employment context. For example, a New Jersey resident who has his or her personal data collected by a retailer while making a purchase for the consumer’s household is protected under the NJDPL. However, a New Jersey resident who has his or her personal data collected by a potential employer while applying for a job is not protected under the NJDPL. (See FAQ #5.)
Are There Special Protections for Children and Minors?
The FAQs indicate that in New Jersey, controllers must obtain consent before processing personal data of consumers aged thirteen to sixteen. This requirement is broader than the statute, which only mandates consent for targeted advertising, selling personal data, or profiling with significant effects, and applies when the controller knows or willfully disregards that a consumer is thirteen to seventeen years old. Although nonbinding, the FAQs suggest the Division of Consumer Affairs may adopt a stricter approach to children’s privacy, using a “should know” standard rather than the statute’s “actual knowledge or willful disregard” standard. (See FAQ #18.)
Will Enforcement Begin Immediately When the NJDPA Becomes Effective?
The FAQs clarify that even though businesses and other entities that are controllers of personal data are expected to comply with the NJDPL when the law becomes effective, there will be a grace period for bringing enforcement actions. Specifically, until July 1, 2026, if the Division of Consumer Affairs identifies a potential violation that the controller can remedy, the division will send a notice to the controller to give them the chance to fix the problem. If the controller does not fix the problem within thirty days, the division can proceed with an enforcement action. (See FAQ #23.)
Does the New Jersey Division of Consumer Affairs Intend to Adopt Regulations?
The division stated in its answer to FAQ #24 that regulations would be issued in 2025. “In the meantime,” the division noted, “controllers and processors are required to comply with the [NJDPA] starting on January 15, 2025.”
Capital One Accused of Defrauding Customers of $2B in Interest
Capital One Accused of Defrauding Customers of $2B in Interest. Capital One is facing a lawsuit from the Consumer Financial Protection Bureau (CFPB) for allegedly deceiving consumers regarding its high-interest savings account offerings. The lawsuit claims that customers incurred losses exceeding $2 billion in potential interest earnings. In a complaint submitted on Tuesday, the CFPB […]
CSB’s New Transparency Initiative
On January 14, 2025, the U.S. Chemical Safety and Hazardous Investigation Board (“CSB”) released Volume One of a series of detailed reports on serious accidental chemical incidents reported to CSB under the Accidental Release Reporting Rule, implemented in March 2020.[1]
Prior to July 2022, CSB incident reported was limited to basic incident data—facility name, locate, date, and outcome: fatality, serious injury, or substantial property damage. CSB’s new initiative represents a landmark shift in chemical safety transparency. The release of detailed incident summaries, including analysis of probable cause and contributing factors, creates significantly increased legal and operational risks that require immediate strategic attention.
Volume One: A Look at the Data
This initial report meticulously details 26 events from April 2020 to September 2023 across 15 states, including California, Texas, and Louisiana. The incidents, resulting in 5 fatalities, 17 serious injuries, and approximately $700 million in damages, involved refineries, chemical plants, and food processing facilities.
Volume One does not just report the what—it delves into the why, detailing various incident types and causes. This means that specifics about incidents, previously kept internal, will now be accessible to the public, including employees, communities, and competitors. As a result, companies should expect heightened scrutiny and a renewed focus on preventing incidents.
Each incident summary goes beyond a basic factual account, offering:
Detailed Chronology: A timeline of events, actions taken, and consequences.
Probable Cause Determination: A clear statement of the probable cause of the incident, often pinpointing equipment failures, process malfunctions, operational errors, or inadequate safety procedures.
Contributing Factors: A breakdown of secondary factors contributing to the incident’s severity, such as inadequate training, maintenance deficiencies, and design flaws.
Technical Specifications: Inclusion of technical data, such as pressure readings, temperatures, and quantities of materials released.
Safety Recommendations: Concrete, actionable recommendations for preventing similar incidents, directed at specific companies, industry organizations, and/or regulatory bodies.
Implications
The release of Volume One and future volumes carries significant implications for legal strategy and risk management. For example, the detailed reports may provide plaintiffs with readily accessible evidence and new avenues for legal action and argumentation. Any incidents reported to the CSB, no matter how minor, will be subject to public review and analysis. This includes the details of the incident and the CSB’s findings regarding its probable cause. CSB’s finding may also influence regulatory agencies to enact stricter enforcement and new regulations. Public awareness of incidents and associated probable causes may also affect a company’s reputation and investor or stakeholder relations.
The CSB’s new transparency initiative fundamentally changes the legal and operational environment for energy companies. Proactive analysis of Volume One and the implementation of robust safety and compliance measures are no longer optional—they are essential for mitigating future legal and reputational risks. CSB intends to make these compiled incident reports available to the public via its website “on a regular basis.”[2]
Volume One can be found here.
[1] CSB News Release, “U.S. Chemical Safety Board Announces New Safety Product to Provide the Public with More Information about Serious Chemical Incidents Reported to the Agency” (Jan. 14, 2025), available at https://www.csb.gov/-us-chemical-safety-board-announces-new-safety-product-to-provide-the-public-with-more-information-about-serious-chemical-incidents-reported-to-the-agency-/.
[2] Id.
New York Amends Data Breach Notification Law to Enhance Notification Requirements, Expand Definition of ‘Private Information’
On December 24, 2024, New York Governor Kathy Hochul signed into law amendments to New York’s private-sector data breach notification law (General Business Law § 899-aa) and government agency data breach notification law (New York State Technology Law § 208).
The private-sector changes include a thirty-day deadline for businesses to notify New York residents impacted by a data breach, and both laws now have an expanded definition of “private information” that includes medical and health insurance information. The new notification requirements are effective immediately, whereas the expanded definition of “private information” will become effective on March 21, 2025, for both laws.
Quick Hits
Businesses must now notify New York residents impacted by a data breach within thirty days after a data breach has been discovered.
The state’s Department of Financial Services must now be notified of a data breach along with other regulatory agencies.
The definition of “private information” was expanded to include a person’s medical information and health insurance information.
Notification Requirements
Effective immediately, persons or businesses that are required to notify New York residents of a data breach must provide notification within thirty days after discovery of the breach. This same thirty-day timeframe also applies to the obligation for service providers to notify the data owner or licensee of a data breach. Previously, the New York data breach notification law required only that disclosure of a breach be made as expediently as possible and without unreasonable delay, but it did not provide a specific deadline. The amendments further removed language in the law that allowed businesses to delay notification consistent with “any measures necessary to determine the scope of the breach and restore system integrity,” although notification may still be delayed based on the legitimate needs of law enforcement. Both of these changes eliminate the flexibility businesses were previously afforded in the timing of data breach notifications.
The amendments also expand data breach notice requirements to regulatory agencies. The New York State Department of Financial Services (NYDFS) must now be notified of a data breach, in addition to the previously existing requirement to notify the state’s attorney general, the New York Department of State, and the state police. Such agency notices must still include the timing, content, and distribution of the notices, the approximate number of affected persons, and a template of the individual notice. This requirement to notify NYDFS is also separate from the disclosure requirements for covered entities under the NYDFS cybersecurity regulations (23 NYCRR Part 500).
The thirty-day notification requirement, however, does not apply to data breach notification obligations for government agencies or entities. These public entities are still only required to notify affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the integrity of the data system.” In other words, although private-sector businesses now have a strict thirty-day deadline to report data breaches, state governmental agencies and entities still enjoy wider discretion in the timing of their same notification obligations.
Expanded Definition of ‘Private Information’
The amendments further expand the definition of “private information” under both the private-sector and public-sector data breach notification laws. Effective March 21, 2025, private information under both laws will also include:
medical information, including the individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and
health insurance information, including the individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application or claims history, including the individual’s appeals history.
The expanded definition of “private information” means that a data breach involving medical or health insurance information may now trigger notification requirements under New York law. Notably, the New York data breach notification laws are distinct from other state and federal laws that govern medical or health insurance information in certain contexts, such as the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, the Federal Trade Commission’s Health Breach Notification Rule, and the recently adopted New York State Department of Health’s hospital cybersecurity regulations. As a result, in some instances, a data breach involving medical or health insurance information may now implicate overlapping legal obligations and notification requirements.
Key Takeaways
Businesses may want to consider reviewing their incident response plans and other data security policies and practices to comply with New York’s updated data breach notification requirements.
Cookware Association Files Federal Challenge to Minnesota’s Ban on PFAS in Cookware
The Cookware Sustainability Alliance (CSA) announced on January 9, 2025, that it has filed suit in the U.S. District Court for the District of Minnesota, seeking a preliminary injunction of Minnesota’s ban on the sale of cookware containing intentionally added per- and polyfluoroalkyl substances (PFAS). CSA v. Kessler (No. 0:25-cv-00041). According to CSA, the chemical coating on nonstick cookware contains fluoropolymers, which “are fundamentally different compounds from the chemicals that have motivated concerns about PFAS.” CSA claims that Minnesota’s ban violates the U.S. Constitution’s prohibition on individual states regulating interstate commerce and has raised other constitutional challenges to Minnesota’s statute. CSA states that it has offered to work cooperatively with Minnesota “to secure an exemption for fluoropolymer coated nonstick cookware because of their low-risk profile.”
CJEU Orders the European Commission to Pay Damages for Data Transfers to the U.S.
On January 8, 2025, the General Court of the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Bindl v Commission (Case T-354/22), ruling that the European Commission (the “Commission”) must pay damages to a German citizen whose personal data was transferred to the U.S. without adequate safeguards.
Background
The case concerned the Commission’s website for the “Conference on the Future of Europe,” which offered users the ability to register for events by signing in using their Facebook account, among other sign-in options.
The claimant, a citizen living in Germany, alleged that selecting this option caused his personal data—including his IP address and browser details—to be transferred to U.S.-based Meta Platforms, Inc. In addition, the claimant asserted that his personal data had been transferred to Amazon Web Services via the Amazon CloudFront content delivery network used on the website. He argued that the transfer posed risks, as the U.S. did not ensure an adequate level of data protection under EU law and that the data could potentially be accessed by U.S. intelligence services. At the time of the transfer in March 2022, the Commission had not yet finalized a new adequacy decision regarding the U.S., following the invalidation of the EU-U.S. Privacy Shield Framework by the CJEU in the Schrems II case.
The claimant sought €400 in damages for the non-material harm he allegedly suffered due to the transfers and €800 for an alleged infringement of his right of access to information. He also sought a declaration that the Commission acted unlawfully in failing to respond to his request for information and annulment of the data transfers.
Anyone who believes the European Union (through one of its institutions) is responsible for non-contractual liability can file a claim for damages. For such liability to apply, three conditions must be met: (1) a serious violation of a law that gives rights to individuals; (2) actual damage; and (3) a direct connection between the unlawful actions and the harm caused.
The Findings
The General Court issued a mixed ruling in this case:
The General Court dismissed the claim regarding the transfer of data to Amazon Web Services, finding insufficient evidence that the transfer had occurred unlawfully. During one of the individual’s connections to the website in question, the General Court found that data was transferred to a server in Munich, Germany, rather than the U.S. In the case of another connection, the individual was responsible for redirecting the data via the Amazon CloudFront routing mechanism to servers in the U.S. Due to a technical adjustment, the individual appeared to be located in the U.S.
The General Court also rejected the claims related to the alleged infringement of the claimant’s right to access information, ruling that no harm had been demonstrated.
Further, the General Court dismissed the annulment application as inadmissible and found no need to adjudicate the claim of failure to act.
However, the General Court held the Commission responsible for enabling the transmission of the claimant’s personal data―specifically, the claimant’s IP address―to Meta Platforms, Inc. via the “Sign in with Facebook” The General Court found that the Commission had not implemented appropriate safeguards to legitimize such transfer and had therefore committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. In this case, the claimant argued that he had suffered non-material damage due to uncertainty about how his personal data, especially his IP address, was being processed. The General Court found that there was a sufficiently direct causal link between the Commission’s violation and the harm sustained by the individual. As a result, the General Court granted the complainant damages and ordered the Commission to pay €400.
An appeal addressing only legal issues may be filed within two months and ten days of receiving the General Court’s decision.
Read the judgment.
French Insider Episode 38: Securing the Future: Cybersecurity & Data Privacy in the Trump Era with Jonathan Meyer, Liisa Thomas and Carolyn Metnick of Sheppard Mullin [Podcast]
In this episode of French Insider, Sheppard Mullin partners Jonathan Meyer, Liisa Thomas and Carolyn Metnick join host and French Desk Co-Chair, Valérie Demont, to explore the evolving landscape of cybersecurity and privacy under a new Trump administration.
What We Discussed in This Episode:
What is CISA and what is its role in cybersecurity?
What can we expect from the Trump administration regarding cybersecurity?
Could we see less regulation but greater enforcement?
Might there be more stringent regulation with respect to cyber attacks and private ransomware?
Where does the United States currently stand in terms of privacy law?
What is the current status of state and federal privacy laws in relation to the healthcare industry?
In terms of privacy, where could enforcement be headed under the incoming administration?
How do the various state attorneys general and federal agencies coordinate on enforcement?
What enforcement trends should businesses be aware of, and what do they need to focus on?
What specific enforcement trends are we seeing in the healthcare space?
Generally speaking, what types of penalties could result from enforcement actions?
Could a company’s officers and directors face personal liability, either criminal or civil?
How might class action litigation originate from a cybersecurity or privacy incident?
What should businesses prioritize in terms of cybersecurity and privacy compliance?
Sleeping Defendant: Plaintiff Secures Win for Class Certification and Damages Discovery
Hey TCPAWorld!
Bringing you a quick (painful and avoidable) ruling out of the Middle District of Florida in Ownby v. United 1st Lending, LLC., 2025 WL 81344 (M.D. Fla, Jan. 13, 2025).
By way of background, Plaintiff filed this action against United 1st Lending back in September 2024, alleging violations of the Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA).
And what did United First Lending do in response? Nothing. So, Plaintiff secured a clerk’s default.
While Defendant sleeps, Plaintiff is on the move! And not just any Plaintiff’s counsel, local South Floridian Manny Hiraldo from TCPA’s Power Rankings of the most dangerous Plaintiff’s Firms.
In the underlying ruling, Plaintiff filed a Motion for leave to conduct class certification and damages-related discovery.
Again, what did United First Lending do in response? Nothing. Absolutely Nothing. Unbelievable.
The court, in a brief order, reiterated that district courts have broad discretion when it comes to class certification. According to Federal Rule 23, plaintiffs must meet certain criteria to get the class certified. Rule 23 mandates that a plaintiff demonstrate (1) the putative class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the putative class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the putative class; and (4) the representative parties will fairly and adequately protect the interests of the putative class. Fed. R. Civ. P. 23(a). The 11th Circuit recognizes that sometimes, even when a defendant defaults, plaintiffs might need a bit of discovery to nail down that certification. This case is no different.
Plaintiff anticipates the class could be massive—hundreds, if not thousands, of members—and he needs evidence like call logs to prove it.
The court found these assertions convincing enough to grant the motion, giving Plaintiff another win and granting his Motion for class certification and damages-related discovery. Just painful!
And now, United 1st Lending is about to experience the full brunt of class discovery—a grueling process that delves into records, logs, and everything else. One of my favorite parts of litigation. Somebody wake up United 1st Lending?!
If you’re a defendant, you never want to ignore a complaint. Respond! Do something! But lying down like a sleeping dog is a surefire way to get walked all over.
If you need assistance, don’t hesitate to reach out to Troutman Amin, LLP – we are awake and ready to help!
Til next time, Countess!!!
FDA Finalizes a New Definition of ‘Healthy’ for Food Labeling
On Dec. 19, 2024, the U.S. Food and Drug Administration (FDA) announced a long-awaited final rule revising the definition of “healthy” when used in the labeling of food products.
The rule revises the FDA’s criteria for use of terms like “healthy,” “healthful,” and “healthier,” terms that are implied nutrient content claims (NCCs) under FDA regulations in 21 CFR 101.65. To make a compliant “healthy” claim under the new criteria, a food product needs to (1) contain a specified amount of food from at least one of the food groups or subgroups identified, which include fruit, vegetables, grains, fat-free and low-fat dairy, and proteins recommended by the Dietary Guidelines for Americans and (2) contain levels of added sugars, saturated fat, and sodium below certain specified limits. The new definition of “healthy” also includes water, tea, and coffee with five calories or fewer per serving, without having to meet any other criteria.
The FDA, which has regulated the term “healthy” since 1994, noted that the definition needed an update “to be consistent with current nutrition science and Federal dietary guidance, especially the Dietary Guidelines for Americans (Dietary Guidelines), regarding how consumers can maintain healthy dietary practices.” While the effective date of this rule is 60 days from the Dec. 27, 2024, date of publication in the Federal Register, the industry will have over three years to evaluate this new definition of “healthy” and to change packaging and labeling as necessary, as the compliance date is Feb. 25, 2028.
The FDA issued a proposed rule in September 2022, soliciting comments from stakeholders on its revised definition of “healthy.” The FDA then issued its final rule after reviewing over 400 submitted comments. The final rule revises the criteria for determining when the term “healthy,” or derivative terms such as “healthful” and “healthier,” can be legally used as a NCC when labeling human food, beverage, and dietary supplement products to help consumers identify foods that are particularly useful as the foundation of a nutritious diet consistent with dietary recommendations. The FDA amended 21 CFR 101.65(d) by removing various upper limits pertaining to total fat and cholesterol, as well as certain minimums for at least one of fiber, protein, vitamin A, vitamin C, calcium, or iron. Instead, the new definition focuses on just three nutrients: saturated fat, added sugars, and sodium.
In addition to allowing water, tea, and coffee with five calories or fewer to be identified as “healthy,” the FDA, for the first time, has recognized that certain food categories should be recognized as inherently “healthy” when comprising no added ingredients other than water. Those foods include vegetables, fruit, whole grains, fat-free or low-fat dairy, lean meat, seafood, eggs, beans, peas, lentils, nuts, and seeds. This means that companies selling products like avocados and cashews, which were previously excluded because of high levels of naturally occurring saturated fat, may now label these foods “healthy” under the new definition.
The FDA has also introduced the concept of food groups and food group equivalents (FGEs) as an aspect of the “healthy” definition, identifying different ceilings for allowable added sugars, sodium, and saturated fat, based on the food group. For mixed ingredient products, certain threshold levels of one or more of the food groups must be included, in addition to meeting the requisite levels of saturated fat, sodium, and added sugars, in order to use the term “healthy.” The FDA provides a table listing the various criteria for each type of food or group in the revised 21 CFR 101.65(d).
Included in the revised rule are obligations for manufacturers to make and keep written records to verify that any food promoted with a “healthy” claim meets the FGE requirements. The FDA is also exploring the development of a “healthy” symbol that manufacturers could use to market a product’s “healthy” characteristics, although no symbol has yet been finalized.
EPA Issues Final Risk Management Rules for Trichloroethylene, Perchloroethylene, and Carbon Tetrachloride
The U.S. Environmental Protection Agency (EPA) released final risk management rules under the Toxic Substances Control Act (TSCA) for trichloroethylene (TCE) and perchloroethylene (PCE) on December 9, 2024, and for carbon tetrachloride (CTC) on December 11, 2024. EPA states that all uses of TCE will be banned over time, with “the vast majority of identified risks eliminated within one year,” and safer alternatives readily available for the majority of uses. The PCE rule will ban manufacture, processing, and distribution in commerce of PCE for all consumer uses and many commercial uses, while allowing some workplace uses to continue only where robust workplace controls can be implemented. The CTC rule will require “robust worker safety programs” while banning some uses.
TCE
EPA’s December 9, 2024, press release states that TCE is used as a solvent in consumer and commercial products such as cleaning and furniture care products, degreasers, brake cleaners, sealants, lubricants, adhesives, paints and coatings, and arts and crafts spray coatings, and is also used in the manufacture of some refrigerants. According to EPA, “[s]afer alternatives are readily available for the majority of these uses.”
The final rule (89 Fed. Reg. 102568) states that to address unreasonable risk, EPA is:
Prohibiting the manufacture (including import), processing, and distribution in commerce of TCE for all uses (including all consumer uses), with longer compliance timeframes for manufacture, processing, and distribution in commerce related to certain industrial and commercial uses;
Prohibiting the industrial and commercial use of TCE, with longer compliance timeframes for certain uses;
Prohibiting the manufacture (including import) and processing of TCE as an intermediate for the manufacturing of hydrofluorocarbon 134a (HFC-134a), following an eight-and-a-half-year phase-out;
Prohibiting the industrial and commercial use of TCE as a solvent for closed-loop batch vapor degreasing for rayon fabric scouring for end use in rocket booster nozzle production by federal agencies and their contractors, following a ten-year phase-out;
Prohibiting the manufacture (including import), processing, distribution in commerce, and use of TCE as a laboratory chemical for asphalt testing and recovery, following a ten-year phase-out;
Prohibiting the manufacture (including import), processing, distribution in commerce, and industrial and commercial use of TCE as a solvent in batch vapor degreasing for essential aerospace parts and components and narrow tubing used in medical devices, following a seven-year TSCA Section 6(g) exemption;
Prohibiting the manufacture (including import), processing, distribution in commerce, and industrial and commercial use of TCE as a solvent in closed-loop vapor degreasing necessary for rocket engine cleaning by federal agencies and their contractors, following a seven-year TSCA Section 6(g) exemption;
For vessels of the Armed Forces and their systems, and in the maintenance, fabrication, and sustainment for and of such vessels and systems, prohibiting the industrial and commercial use of TCE as: potting compounds for naval electronic systems and equipment; sealing compounds for high and ultra-high vacuum systems; bonding compounds for materials testing and maintenance of underwater systems and bonding of nonmetallic materials; and cleaning agents to satisfy cleaning requirements for: materials and components required for military ordnance testing; temporary resin repairs in vessel spaces where welding is not authorized; ensuring polyurethane adhesion for electronic systems and equipment repair and installation of elastomeric materials; various naval combat systems, radars, sensors, and equipment; fabrication and prototyping processes to remove coolant and other residue from machine parts; machined part fabrications for naval systems; installation of topside rubber tile material aboard vessels; and vapor degreasing required for substrate surface preparation prior to electroplating processes, following a ten-year TSCA Section 6(g) exemption;
Prohibiting the emergency industrial and commercial use of TCE in furtherance of the National Aeronautics and Space Administration (NASA) mission for specific conditions that are critical or essential and for which no technically and economically feasible safer alternative is available, following a ten-year TSCA Section 6(g) exemption;
Prohibiting the manufacture (including import), processing, distribution in commerce, disposal, and use of TCE as a processing aid for manufacturing battery separators for lead acid batteries, following a 20-year TSCA Section 6(g) exemption;
Prohibiting the manufacture (including import), processing, distribution in commerce, disposal, and use of TCE as a processing aid for manufacturing specialty polymeric microporous sheet materials following a 15-year TSCA Section 6(g) exemption;
Prohibiting the manufacture (including import), processing, distribution in commerce, and use of TCE as a laboratory chemical for essential laboratory activities and some research and development activities, following a 50-year TSCA Section 6(g) exemption;
Requiring strict workplace controls to limit exposure to TCE, including compliance with a TCE workplace chemical protection program (WCPP), that includes requirements for an interim existing chemical exposure limit (ECEL) revised from the proposed rule, as well as dermal protection, for conditions of use (COU) with long term phase-outs or time-limited exemptions under TSCA Section 6(g) or prescriptive workplace controls;
Prohibiting the disposal of TCE to industrial pre-treatment, industrial treatment, or publicly owned treatment works (POTW), through a phase-out allowing for longer timeframes for disposal necessary for certain industrial and commercial uses, along with a 50-year TSCA Section 6(g) exemption for disposal for cleanup projects before prohibition and interim requirements for wastewater worker protection; and
Establishing recordkeeping and downstream notification requirements.
EPA notes that all TSCA COUs of TCE are subject to the final rule. The final rule will be effective January 16, 2025.
PCE
EPA’s December 9, 2024, press release states that PCE is a solvent that is widely used for consumer uses such as brake cleaners and adhesives, in commercial applications such as dry cleaning, and in many industrial settings. According to EPA, “[s]afer alternatives are readily available for the majority of these uses.”
The final rule (89 Fed. Reg. 103560) states that to address unreasonable risk, EPA is:
Prohibiting most industrial and commercial uses and the manufacture (including import), processing, and distribution in commerce of PCE for those uses;
Prohibiting the manufacture (including import), processing, and distribution in commerce of PCE for all consumer use;
Prohibiting the manufacture (including import), processing, distribution in commerce, and commercial use of PCE in dry cleaning and spot cleaning through a ten-year phase-out;
Requiring a WCPP, including an inhalation exposure concentration limit, direct dermal contact controls, and related workplace exposure controls, for many occupational COUs of PCE not prohibited;
Requiring prescriptive workplace controls for use of PCE in laboratories and energized electrical cleaners;
Establishing recordkeeping and downstream notification requirements;
Providing a ten-year time limited exemption under TSCA Section 6(g) for certain emergency uses of PCE in furtherance of NASA’s mission, for specific COUs that are critical or essential and for which no technically and economically feasible safer alternative is available; and
Identifying a regulatory threshold for products containing PCE for the prohibitions and restrictions on PCE.
EPA notes that all TSCA COUs of PCE are subject to the final rule. The final rule will be effective January 17, 2025.
CTC
EPA’s December 11, 2024, press release states that CTC is a solvent used in commercial settings as a raw material for producing other chemicals like those used in refrigerants, aerosol propellants, and foam-blowing agents. EPA notes that the U.S. Consumer Product Safety Commission banned the use of CTC in consumer products in 1970. According to EPA, requirements under the Montreal Protocol on Substances that Deplete the Ozone Layer and the Clean Air Act phased out CTC production in the United States in 1996 for most domestic uses that did not involve manufacturing other chemicals. The continued, safe use of CTC in the manufacture of low global warming potential chemicals used in refrigerants, aerosol propellants, and foam-blowing agents “is particularly important in the agency’s efforts to support the American Innovation and Manufacturing Act of 2020 (AIM Act) and the Kigali Amendment to the Montreal Protocol.”
The final rule (89 Fed. Reg. 103512) states that to address unreasonable risk, EPA is:
Requiring a WCPP, including an inhalation exposure concentration limit, direct dermal contact controls, and related workplace exposure controls, for the following occupational COUs of CTC not prohibited:
Domestic manufacture;
Import;
Processing as a reactant in the production of hydrochlorofluorocarbons (HCFC), hydrofluorocarbons (HFC), HFOs, and PCE;
Incorporation into formulation, mixture, or reaction products in agricultural products manufacturing, vinyl chloride manufacturing, and other basic organic and inorganic chemical manufacturing;
Repackaging for use as a laboratory chemical;
Recycling;
Industrial and commercial use as an industrial processing aid in the manufacture of agricultural products and vinyl chloride;
Industrial and commercial use in the elimination of nitrogen trichloride in the production of chlorine and caustic soda and the recovery of chlorine in tail gas from the production of chlorine; and
Disposal;
Requiring use of laboratory ventilation devices, such as fume hoods or glove boxes, and dermal personal protective equipment (PPE) for the industrial and commercial use as a laboratory chemical;
Prohibiting these additional COUs, for which EPA understands use of CTC has already ceased:
Incorporation into formulation, mixture, or reaction products in petrochemical-derived manufacturing, except in the manufacture of vinyl chloride (for which EPA is requiring a WCPP);
Industrial and commercial use as an industrial processing aid in the manufacture of petrochemicals-derived products, except in the manufacture of vinyl chloride (for which EPA is requiring a WCPP);
Industrial and commercial use in the manufacture of other basic chemicals (including manufacturing of chlorinated compounds used in solvents, adhesives, asphalt, and paints and coatings), except for use in the elimination of nitrogen trichloride in the production of chlorine and caustic soda and the recovery of chlorine in tail gas from the production of chlorine (for which EPA is requiring a WCPP);
Industrial and commercial use in metal recovery;
Industrial and commercial use as an additive; and
Industrial and commercial use in specialty uses by the U.S. Department of Defense (DOD);
Requiring recordkeeping; and
Requiring manufacturers (including importers), processors, and distributors to provide downstream notification of the requirements.
EPA notes that all TSCA COUs of CTC are subject to the final rule. The final rule will be effective January 17, 2025.
Commentary
Bergeson & Campbell, P.C. (B&C®) is pleased that EPA completed its risk management activities but disappointed with the approach EPA has taken. It is vitally important that EPA take action to protect health and the environment, especially workers who may be exposed to these three substances, but EPA fails to follow the statutory standard and meet its own regulations, and neglects to use the best available science. As with the other risk management rules, EPA remains vulnerable to legal challenges for not meeting the scientific standards under TSCA Section 26. In addition, EPA failed to comply with its own regulations for following the procedures for conducting risk evaluations. We discuss each of these points in more detail below. B&C expects entities impacted by these final rules to seek petitions for review, further delaying the implementation of the measures necessary to protect against unreasonable risk.
Under TSCA Section 6(b)(4)(C), EPA is required to “conduct and publish risk evaluations” in accordance with a rulemaking that establishes procedures for such evaluations. The relevant rulemaking cited in the final risk evaluations for TCE, PCE, and CTC was the 2017 Procedures for Chemical Risk Evaluation Under the Amended Toxic Substances Control Act (the Risk Evaluation Rule). The Risk Evaluation Rule codified regulatory definitions (e.g., weight of scientific evidence) and required application of a systematic review method that “uses a preestablished protocol…and integrate[s] evidence…”.
EPA was informed publicly about issues with its systematic review method as early as July 2019 by a public commenter at a meeting of the TSCA Science Advisory Committee on Chemicals (SACC). The public commenter made the following statements about EPA’s use of the 2018 Application of Systematic Review in TSCA Risk Evaluations (the 2018 TSCA SR document), including:
The first critical piece of missing information is creating a protocol which is used to review all the evidence and outline the process for conducting the review. This helps minimize bias and ensure transparency in the decision-making process. It’s also required by law to have a preestablished protocol, and there’s not one for 1,4-Dioxane or the other TSCA chemicals. [see pp. 125-126 of the meeting transcript.]
EPA was informed in February 2021 by the U.S. National Academies of Sciences, Engineering, and Medicine (NASEM) that its 2018 TSCA SR document did not meet the criteria of “comprehensive, workable, objective, and transparent” and that “The OPPT approach to systematic review does not adequately meet the state-of-practice.”
EPA acknowledged in its December 2021 Draft Systematic Review Protocol Supporting TSCA Risk Evaluations for Chemical Substances Version 1.0 that it “did not have a complete clear and documented TSCA systematic review (SR) Protocol [in the first ten risk evaluations].” EPA further acknowledged that an “Evidence Integration process…was not previously included in the 2018 TSCA SR document [used for TCE, PCE, and CTC].”
Despite public comments, NASEM’s review, and EPA’s acknowledgements, EPA did not remedy these issues in the first ten risk evaluations, including the risk evaluations for TCE, PCE, and CTC. Rather, EPA re-issued final unreasonable risk determinations with the following unsupported blanket statement in each: “EPA views the peer reviewed hazard and exposure assessments and associated risk characterization [for TCE, PCE, and CTC] as robust and upholding the standards of best available science and weight of the scientific evidence per TSCA sections 26(h) and (i).”
In addition to these weaknesses that apply to all the completed risk management rules, each of these three rules suffers from additional weaknesses.
TCE
EPA stated in the preamble of the final rule that it “recognizes that the interim ECEL of 0.2 ppm as an 8-hr TWA does not fully address the unreasonable risk from TCE, hence, the term ‘interim.’’’ EPA further stated that “Potentially exposed persons may continue to be at risk for the developmental [i.e., fetal cardiac defects] and immunotoxicity effects that provide the basis for EPA’s ultimate prohibition.” In comparison, EPA concluded in the 2020 Final Risk Evaluation for Trichloroethylene “that acute immunosuppression and chronic autoimmunity were the best overall non-cancer endpoints for use in Risk Evaluation under TSCA, based on the best available science and weight of the scientific evidence, and were used as the basis of risk conclusions…”.
EPA subsequently departed from its statements about the best available science and weight of scientific evidence for TCE in the proposed and final risk management rules. As noted above, EPA stated on January 9, 2023, in the final revision to the risk determination for TCE that the 2020 Final Risk Evaluation for Trichloroethylene upheld the scientific standards under TSCA Section 26. Also on January 9, 2023, EPA issued a press release stating that it will develop “existing chemical exposure limits [ECELs] based on both the immune endpoint [i.e., a generally agreed upon effect by the TSCA SACC; see p. 70 of the TSCA SACC final report and consistent with the final risk evaluation] and the CHD endpoint [i.e., fetal cardiac defects, which EPA had rated previously as a lower quality study] in support of risk management.” EPA clarified this decision by stating that the fetal cardiac defects endpoint “was not relied on to determine whether there is unreasonable risk from TCE [in the 2020 Final Risk Evaluation for Trichloroethylene] because of direction not to do so that was provided by the previous political leadership.” For discussion of this claim, see our memorandum dated January 19, 2023. Because Section 6(a) mandates that EPA regulate to the extent necessary to mitigate the risk identified in the risk evaluation, it is not clear that EPA can promulgate a rule to protect against hazards not identified as representing the best available science and weight of scientific evidence in the final risk evaluation.
PCE
EPA stated the following in the final risk management rule for PCE:
EPA is finalizing as proposed an ECEL under TSCA section 6(a) of 0.14 ppm (0.98 mg/m3) as an 8-hour TWA based on the chronic non-cancer human equivalent concentration for neurotoxicity.
EPA’s ECEL was derived using studies (i.e., Cavalleri et al., 1994 and Echeverria et al., 1995) judged by NASEM as “appropriate to use as a point of departure [POD] for derivation of the [Integrated Risk Information System’s (IRIS) reference concentration] RfC…[see p. 5 of the NASEM report].” The TSCA SACC concluded that EPA’s use of these studies and deriving a midpoint value as the POD was “appropriate [see pp. 62-63 of the TSCA SACC final report].” We, therefore, do not anticipate successful challenges of EPA’s ECEL, based on the scientific standards under TSCA Section 26. Given the scientific robustness of the ECEL, it is not clear why EPA elected to ban COUs that might be undertaken in compliance with a WCPP that includes that ECEL. As with other of EPA’s final risk management rules, EPA seems to be issuing regulations with prohibitions that go beyond the extent necessary to protect against the unreasonable risks identified in the final risk evaluation.
CTC
EPA stated the following in the final risk management rule for CTC:
EPA is finalizing as proposed an ECEL under TSCA section 6(a) of 0.03 ppm (0.2 mg/m3) for inhalation exposures to CTC as an 8-hour TWA based on the threshold POD for liver cancer (assuming a margin of exposure of 300) and the [inhalation unit risk] IUR for adrenal cancer.
EPA derived the ECEL using a POD of 6 mg/m3 based on liver tumor data from female mice chronically exposed to CTC via inhalation. As EPA stated, it applied a benchmark margin of exposure (MOE) of 300 to this POD, which consisted of 10× for intraspecies (human to human) uncertainty (i.e., UFH), 3× for interspecies (animal to human) uncertainty (i.e., UFA), and 10× for uncertainty with extrapolating from a lowest-observed-adverse-effect-concentration (LOAEC) to a no-observed-adverse-effect-concentration (NOAEC) (i.e., UFLOAEC to NOAEC or UFL).
We agree with EPA’s use of a threshold approach for carcinogenicity of CTC as recommended by the TSCA SACC. See p. 51 of the TSCA SACC’s final report to “Consider adoption of a threshold-type [mode of action] MOA in estimating the carcinogenic risks of carbon tetrachloride.” Unfortunately, EPA did not follow its own guidance for developing the POD and benchmark MOE.
During the public comment period on the proposed risk management rule for CTC, members of the public commented on EPA’s threshold approach, specifically noting that application of the LOAEC-to-NOAEC (UFL) approach rather than using benchmark dose (BMD) modeling was inconsistent with EPA’s own guidance documents (see slides 15 and 16 of the public comments). Note, when BMD modeling is used, a UFL is not applied because BMD modeling reduces the uncertainty represented by the UFL. The public commenters performed BMD modeling on the liver tumor data from female mice and concluded that their results “were statistically valid and identical to EPA’s 2010 BMD results” (see slide 11 of the public comments). Using the BMD approach, rather than the UFL approach, the public commenters derived an ECEL of 1.5 ppm (i.e., 9.5 mg/m3) (see slide 12 of the public comments). EPA did not explain why it did not use the BMD modeling approach.
EPA’s statement about the “IUR for adrenal cancer” is questionable, given that these tumors were evaluated recently by carcinogenicity experts who concluded that “The pheochromocytomas in rodents are not relevant to human cancer risk.” EPA has yet to refute that conclusion.
Conclusions
B&C anticipates that the common procedural issues with the final risk evaluations for TCE, PCE, and CTC may serve as an underlying basis for challenging the final risk management rules on these substances. We acknowledge that courts will generally give deference to EPA’s interpretation of science, but we question whether this will occur, particularly with the issues discussed above with TCE and CTC, when EPA departs from its own standards. We anticipate that EPA may be challenged for prohibiting occupational COUs when EPA concludes that compliance with the WCPP and ECELs protects against the unreasonable risks identified. EPA’s own conclusion about the protective effect of a WCPP undermines any argument that a ban is required to protect to the “extent necessary” under TSCA Section 6(a).
NYDFS Urges Companies to Exercise Caution Due to Threats Posed by Remote Workers with Ties to North Korea
The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.
According to the NYDFS, these applicants often pose as individuals from the U.S. and other countries, using false and stolen identities and proxy accounts that belong to U.S.-based individuals, some of whom may knowingly sell their identities, assist with account creation, and participate in required pre-employment drug screening tests. Applicants use a variety of other tactics to hide their location and/or identity, such as using virtual private networks (“VPNs”) to make it appear that they originate and reside in U.S.-based locations when applying for telework positions, avoiding video or in-person conferencing, and asking for devices to be shipped to different locations pre-employment.
The NYDFS urged companies to take several steps to protect their systems from threat actors, including:
Raising awareness of this threat among senior executives, information security personnel third-party service providers, and human resources through targeted training;
Conducting due diligence during the hiring process by implementing stringent background checks and identity verification procedures;
Utilizing technical and monitoring controls, including procedures to track and locate corporate laptops and cellphones to ensure that they are delivered and remain at the initially reported residence, and flagging events related to location (e.g., change of address);
Limiting remote employees’ access to systems and data necessary to perform their jobs; and
Notifying the FBI’s Internal Crime Complaint Center if the company suspects that a remote worker is engaging in a fraudulent remote work scheme.
The NYDFS guidance provides additional detail and examples for implementing each of these steps. Federal agencies are also pursuing the IT worker threat, including the U.S. Departments of State and Treasury, and the Federal Bureau of Investigation.