Photo of Azim ChowdhuryPhoto of Tracy Marshall

The new European Union (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive on May 25, 2018 and will directly impact all companies, including vapor product retailers and businesses, that market and sell products to consumers in the EU and/or employ residents of the EU. The reforms will give European consumers new rights and control over the personal data collected from and about them, and impose new obligations on businesses within and outside of the EU that collect personal information from EU citizens, regardless of where they reside, or from individuals who reside in the EU, regardless of their nationality.  Given the magnitude of potential penalties for violations of the GDPR (supervisory authorities are authorized to impose fines of up to 4% of global annual turnover for serious infringements and 2% for less serious infringements), it is imperative that vapor product retailers and others selling into the EU or handling data about Europe-based individuals ensure they are GDPR-ready.

The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.

Most companies operate with multiple streams of data, such as HR data, consumer data, vendor/supplier data, and the like. A good starting point is for businesses to assess their current data collection practices and identify gaps, and use that to map out a step-by-step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world.

We provide below a summary of the key requirements in the GDPR and a compliance checklist for businesses. Please note that the summary and checklist are provided for informational purposes only, and do not constitute legal advice regarding specific facts or circumstances.

GDPR KEY REQUIREMENTS
Personal Data The term “personal data” means “any information concerning an identified or identifiable natural person.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Extraterritorial Effect The Regulation applies not only to the processing of personal data by controllers and processors in the EU, but also the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, if the processing activities are related to offering goods or services to the data subjects or monitoring their behavior within the EU.
Lawfulness of Processing To be lawful, at least one of the following must apply:

  • The data subject consents;
  • Processing is necessary for the performance of a contract to which the data subject is a party;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (under EU or Member State law);
  • Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (under EU or Member State law);
  • Processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Consent Consent to processing must be unambiguous, specific, informed, and freely given (for example, checking a box at a website or choosing technical settings). Pre-checked boxes do not constitute consent. For sensitive data (for example, data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), consent must be explicit. When processing has multiple purposes, consent should be given for all of them. Consent may be withdrawn.
Data Processing Processing of personal data must be lawful, fair, and transparent. Individuals should be made aware of the risks, rules, safeguards and their rights in relation to the processing of personal data. The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Time limits should be established for erasure or periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality.
Right to be Forgotten Individuals have a right to request deletion of data, with some exceptions (for example, if retention is legally required).
Data Portability Individuals have the right to easily transfer personal data between different service providers.
Children Special rules apply to children’s data. Where a child is below age 16, processing is lawful only if parents or guardians consent. Member States may establish a lower age for these purposes, so long as the age is not below age 13.
Controller Responsibility Personal data must be processed under the responsibility and liability of the controller, who must ensure and document compliance for each processing operation. Controllers should only use processors who provide sufficient guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures that will meet the requirements of the Regulation. Adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance. There must be controller-processor agreements in place that describe the subject matter, duration, nature and purposes of the processing, type of personal data, and categories of data subjects. Upon completion of the processing, the processor must, at the controller’s election, return or delete the data, unless the processor is required by law to store it. Joint and several liability for controllers and processors.
Data Protection Impact Assessments

Data controllers must conduct Data Protection Impact Assessments (DPIAs) for “risky” processing. DPIAs should be completed before beginning any type of processing which is “likely to result in a high risk.” This means even though the actual level of risk may not have been assessed, a DPIA may be necessary based on identifying factors that point to the potential for a widespread or serious impact on individuals. Some jurisdictions may impose DPIA requirements on specific types of processing.

 

If the DPIA indicates that processing involves a high risk that cannot be mitigated, controller should consult supervisory authority (DPA) prior to the processing.

Data Protection Officer Organizations must appoint a data protection officer (DPO) in three situations: the processing is carried out by a public authority; the core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or the core activities involve processing sensitive data or criminal convictions on a large scale.
Documentation Controllers and processors must document all processing and make documentation available to DPA on request.
Data Breach Notification Controllers must notify DPA within 72 hours of learning of a breach, where feasible; no notification is required if a breach is unlikely to result in risk to the rights or freedoms of individuals. Controllers must notify data subjects without undue delay, where the breach is likely to result in a high risk to their rights or freedoms. Notifications to data subjects should describe the nature of the breach and recommendations for individuals to mitigate potential adverse effects. Processors must notify controllers.
Streamlined Approvals A single DPA can be designated the lead, enabling multiple DPAs to handle cases in a more streamlined manner.
Codes of Conduct and Certification Codes of conduct are encouraged, and are subject to approval by the Commission, and compliance should be monitored by an appropriate expert, accredited body. Approved codes of conduct will be registered and published. Data protection certification mechanisms, seals and marks are encouraged.
Transfers to Other Countries Transfers to other countries are permitted based on a determination that the country provides adequate protection of privacy; transfers are subject to adequate safeguards (for example, binding corporate rules, standard contractual clauses, an approved code of conduct, approved certification mechanisms, explicit informed consent).
Reduced Notifications Supervisory notifications about data processing are no longer required, but permission is required to process certain categories of data.
Art 29 Working Party (WP29) WP29 will be “upgraded” to an independent European Data Protection Board.
WP29 Guidance WP29 has issued guidance on several aspects of the GDPR that provide clarification and recommendations:

DPA Enforcement DPAs have enhanced enforcement powers, including expanded investigatory authority.
Complaints and Remedies EU citizens can lodge complaints with local DPAs, even where data is processed extra-territorially, and have the right to a judicial remedy against supervisory authorities who fail to act and against controllers and processors.
Penalties DPAs are authorized to impose fines of up to 4% of global annual turnover for certain serious infringements; 2% for less serious infringements.


GDPR Compliance Checklist 

Types of Personal Data Collected
Identify types of data collected
Identify sensitive data
Identify data collected from children/ whether parental consent is required
Data Processing
Appoint data protection officer (DPO)
DPOs must be appointed if:

  • The processing is carried out by a public authority;
  • The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  • The core activities involve processing sensitive data or criminal convictions on a large scale.
  • May also be Operating/established in a jurisdiction (such as Germany) with more stringent requirements.
  • WP29 guidance on DPOs
  • “Core activities”: defined by WP29 as those that are integral to “the controller’s or processor’s activity.”
  • “Large scale”: WP29 recommends that businesses consider the number of data subjects concerned; the volume of data or range of data items; and the duration and the geographical extent of the processing.
  • “Regular and systematic monitoring”: WP29 states this would “include all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.”
Confirm the lawful basis for the processing:

  • Consent
  • Necessary for compliance with a legal obligation to which the controller is subject
  • Necessary for the performance of a contract to which the data subject is a party
  • Necessary to protect an individual’s vital interest
  • Legitimate interests of the controller (i.e., providing client services or preventing fraud)
  • Transfers of personal data among controllers within an affiliated group for internal administrative purposes
  • Strictly necessary and proportionate for ensuring network and information security
If consent is the basis for the processing:

  • Must be unambiguous, specific, informed, and freely given
  • Must obtain consent for each processing activity/purpose
  • Explicit consent required for sensitive data
Confirm that personal data collected is adequate, relevant and limited to what is necessary for the purpose(s)
Determine whether a data protection impact assessment (DPIA) is required (high-risk processing)

  • Systems that analyze a person’s economic situation, location, health, personal preferences, reliability or behavior
  • Video surveillance systems
  • Data in large scale filing systems on children, genetic or biometric data
DPIA, if required, should address

  • Contemplated processing and purposes
  • Necessity and proportionality of the processing in relation to the purposes
  • Risks to the rights and freedoms of data subjects
  • Safeguards and security measures to address the risks
If DPIA indicates that processing would result in high risk, then consult DPA prior to processing
Data subjects must be informed about:

  • Identity and contact information for controller and DPO
  • Purposes of the processing and legal basis
  • Recipients/ categories of recipients of personal data
  • Period for which personal data will be stored
  • Right to request access to and correction or erasure of personal data or to restrict processing
  • Right to withdraw consent at any time
  • Right to file complaint with supervisory authority
Review privacy policies and update as necessary
Establish system for documenting processing operations
Amendments to third-party contracts to ensure compliance with GDPR and e-Privacy Directive (and eventually e-Privacy Regulation)
Data Storage
Determine where and how data is stored
Establish limits for erasure of data and periodic reviews
Review data retention policies to ensure data only kept for as long as necessary
Establish and/or review processes for rectifying or deleting inaccurate data
Prepare template responses for data access requests
Data Transfers to Other Countries
Review and analyze global data flows
Assess validity of current mechanisms for transfers of personal data from the EU to the U.S. or other countries, for example:

  • Adequacy determination
  • Binding corporate rules
  • Standard contractual clauses
  • EU–U.S. Privacy Shield
  • Codes of conduct
  • Certification mechanisms
  • Explicit, informed consent in limited circumstances
Assess feasibility/benefits of approved codes of conduct and certification mechanisms
Assess need for controller-controller and/or controller-processor agreements; review content for compliance with new requirements
Data Security
Review technical and organizational measures in place to prevent unlawful destruction, loss, alteration, disclosure of/ access to personal data

  • Pseudonymization and encryption
  • Ability to ensure ongoing confidentiality integrity, availability, and resilience of processing systems and services
  • Ability to restore availability and access to data in timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing and evaluating the effectiveness of the security measures in place
Ensure that processors are employing adequate technical and organizational measures; address in contracts
Establish and/or update data breach response plan

For more information on the GDPR or other privacy or data security matters, and how they affect businesses involved in e-liquid and vapor products, please contact Tracy Marshall (+1 202.434.4234, marshall@khlaw.com), Azim Chowdhury (+1 202.434.4230, chowdhury@khlaw.com), or Nathan A. Cardon (+1 202.434.4254, cardon@khlaw.com).

Photo of Azim Chowdhury

This interview originally appeared here: https://www.cyclopsvapor.com/blog/qa-with-azim-chowdhury-pRight to be Smoke-Free artnerfda-group-tobacco-evapor-food-packaging-at-keller-and-heckman-llp/

Azim Chowdhury is nationally recognized as an expert on FDA issues as they relate to the tobacco and e-vapor industries. He represents tobacco, e-cigarette and e-liquid manufacturers, suppliers and trade associations in matters of FDA regulatory and corporate compliance, and spearheaded Keller and Heckman’s FDA tobacco and e-cigarette practice group. Keller and Heckman LLP, founded in 1962, has a broad practice in regulatory law and related litigation and business transactions. Keller and Heckman’s comprehensive and extensive experience dealing with the regulation of food, drugs, medical devices and dietary supplements before the FDA uniquely positions the firm to guide tobacco, e-cigarette and e-liquid companies through the myriad of statutory and regulatory requirements that will soon be applicable to these products.

In the anticipation of Keller and Heckman’s *2018 E-Vapor and Tobacco Law Symposium, spoke with Chowdhury about what to expect at the second annual event.

For our readers who don’t know, can you talk a little bit about how you got into vaping law/education as a specialty?

The first time I came across a vapor product was back in 2009. While shopping at the mall, I came across a kiosk selling Smoking Everywhere cigalikes. I had been practicing law for a few years at that point and was focusing on medical devices and FDA regulations. I was immediately intrigued by the so-called “electronic cigarettes,” and started researching. When and how FDA was going to regulate vapor products was very much uncertain — the Tobacco Control Act had just become law, giving FDA the authority to regulate tobacco products, but the agency had already come out against e-cigarettes (the first time) arguing that they were unauthorized drug delivery devices. I wrote one of the first law articles on what FDA might do and how it would impact the burgeoning vapor industry for the Food and Drug Law Institute’s Update magazine (which you can findhere). I continued to write articles following the Sottera lawsuit, began speaking at conferences and attending vape expos, edited a couple of books, and quickly came to be recognized as a legal expert on vapor products.

In March 2010, I joined Keller and Heckman, a firm best known for its nationally-ranked FDA practice that includes lawyers as well as scientists, and spearheaded the E-Vapor Law Practice here. Now, we represent dozens of vapor businesses in the U.S. and around the world, including trade associations, manufacturers, suppliers, distributors and retailers in matters of federal, state and global regulatory compliance, as well as litigation, business and intellectual property issues.

This year is the second E-Vapor and Tobacco Law Symposium. Can you talk about how this year’s agenda came into play and how it changed from last year’s?

Last year we launched the inaugural E-Vapor and Tobacco Law Symposium from our offices in Washington, D.C. It was an experiment to see how this industry, which is mostly used to vape expos, trade shows and advocacy events, would react to a legal training seminar. Keller and Heckman’s well-established food, packaging and environmental practices have a long history of hosting these types of seminars, so this is right up our alley. Because the Deeming Rule had just become effective, we knew it was the right time to bring this type of event to the vapor industry to help companies understand how to stay in compliance.

With the success of last year’s Symposium, we decided to take the event “on the road” to Irvine, Calif., to reach a broader audience and make it easier for businesses on the West Coast to attend. With all the changes with the new administration, a new FDA commissioner and new policies that seem to indicate a shift in the agency’s view of these products (we hope), we are covering a lot more material at this year’s event. In addition to our Keller and Heckman experts, we are particularly excited for our guest speakers, several coming from overseas, who will be presenting on topics including good manufacturing practices, state laws, EU and UK laws, and vapor device standards.

Stepping further into that, what are some of the biggest challenges that vapers and business owners need to be aware of this year?

Companies must understand that even though the deadline for premarket applications for products on the market today has been delayed until 2022, the Deeming Rule is still in effect, and there are several fast-approaching deadlines for requirements such as ingredient reporting and HPHC testing that companies need to comply with in the meantime. We are expecting FDA to ramp up enforcement and inspections of facilities, so being prepared for that is critical. We will also be addressing the elephant in the room — Premarket Tobacco Product Applications (PMTAs) — and how companies might be able to work together to save money and submit applications to FDA.

Beyond FDA, more states are passing legislation impacting this industry, including new taxes and licensing requirements. Much of this will be covered at the Symposium. We are also seeing more companies get notices from state environmental regulators regarding how they are storing and disposing of nicotine and other hazardous chemicals. We think that is going to be a big issue in 2018 and moving forward.

Finally, if you’re looking to expand your business beyond the U.S. to the EU or Asia, we are going to have a lot of great presentations on how to do that.

Have there been any wins within the law that you’ve seen for our industry?

There have been a lot of victories at the state level by advocacy organizations such as SFATA, VTA and the Smoke-Free Associations fighting for vaper’s rights. We also had a huge victory last year on behalf of the Right to be Smoke-Free Coalition in Indiana, where we got the Seventh Circuit Court of Appeals to strike down the unconstitutional parts of Indiana’s e-liquid law (seehere). The industry should also consider FDA’s extension of the PMTA deadline as a victory that resulted from everyone’s lobbying efforts, as well as the threat from the lawsuits.

One topic we will be discussing at the Symposium is the appeal of the Nicopure and Right to be Smoke-Free challenge to the Deeming Rule, and how companies can still help with that effort.

The symposium schedule is jam packed and really looks like a must-attend event. Can you talk further about the importance of this two-day event?

I do believe this is a must-attend event for businesses who truly are interested in complying with the law and staying around for the long-term. This will also be a great opportunity to network with Keller and Heckman attorneys and other experts, as well as with other businesses. So far, we have over 100 registered attendees that include some of the biggest names in the industry, but also a lot of smaller companies who are looking to do things the right way.

*Seating is limited, but it is still not too late to register! Keller and Heckman is also exploring options for next year’s Symposium, and may take it to the Midwest or back to the East Coast.

Photo of Azim ChowdhuryPhoto of JC Walker

Beyond the Food and Drug Administration (FDA) and Tobacco Control Act requirements that now apply to deemed tobacco products, manufacturers and retailers of vapor products, and particularly e-liquids, also face stringent environmental and waste management regulations and compliance issues that are significantly more complex than those faced by cigarette and traditional tobacco product companies. This dichotomy arises because regulations promulgated pursuant to the federal Resource Conservation and Recovery Act (RCRA) treat nicotine in tobacco-based products differently than when found in e-cigarettes and other vaping products.

Compliance with the waste management regulations can be confusing because their scope and extent will vary by the amount of waste nicotine produced at a manufacturing facility or the amount of nicotine-containing products collected for disposal by a retailer. Further complicating the issue, even if exempted from the RCRA regulations, certain nicotine-containing products may be subject to state regulation of nicotine as a dangerous or industrial waste. Although there have been few enforcement actions brought against vapor or e-liquid manufacturers or retailers, regulators have noted the industry’s growth and potential for noncompliance. Going forward, we expect regulators to focus less on educating the industry about waste management obligations and follow a more active enforcement approach.

RCRA Overview

The federal RCRA regulations and state analogues establish a comprehensive system for managing hazardous waste from “cradle to grave,” that is from the point the waste is generated until its ultimate disposal. Broadly speaking, the regulations prescribe how to determine if and when a material is regulated as a hazardous waste, and how to manage the waste once the determination is made. Critically, RCRA only applies when the material becomes solid waste, meaning that it has been discarded by being abandoned, recycled, or treated as “inherently-waste like,” or the decision to discard has been made.[1]

Having decided to discard a material, the waste generator must next determine whether the waste is hazardous. This is done in one of two ways: (1) does the waste contain materials that EPA has listed in one of the three hazardous waste lists codified at 40 C.F.R. Part 261, subpart D; or (2) does the waste exhibit one or more of four characteristics: ignitability, corrosivity, reactivity, or toxicity?[2] With regards to e-liquids and other nicotine-bearing products, certain unused chemicals are listed hazardous wastes when discarded.[3] The hazardous waste listing applies when the following three criteria have been met. First, the chemical must be listed at 40 C.F.R. § 261.33(e) or (f). Nicotine and its salts are listed at 40 C.F.R. § 261.33(e) as an acute hazardous waste with the P075 waste code. Second, the listing applies “if and when they are discarded or intended to be discarded” prior to use.[4] Given its intended function, nicotine in e-cigarettes is not used until it has been inhaled by the end user.

Third, the listed chemical must be discarded in the form of a “commercial chemical product or manufacturing chemical intermediate having the generic name of the listed chemical” (CCP). The term CCP refers to a chemical substance which is manufactured or formulated for commercial or manufacturing use and which consists of the commercially pure grade of the chemical, any technical grades of the chemical that are produced or marketed, all formulations in which the chemical is the sole active ingredient, and any off-specification forms of the foregoing chemicals.[5] Products with more than one active ingredient are not regulated as CCP, although they may still be regulated hazardous wastes if they exhibit one of the hazardous characteristics.

According to the U.S. Environmental Protection Agency (EPA), nicotine is the “sole active ingredient” in e-cigarettes because it is the “only chemically active component that performs the function of the product.[6] Flavorings, sweeteners, colorants and other components are considered inert ingredients. Consequently, raw material (i.e., nicotine), off-spec e-liquids, container residues, and spill residues are hazardous wastes when they are discarded or intended to be discarded from businesses. In addition, EPA has stated that because certain e-cigarettes contain cartridges that are containers of a CCP, they too must be treated as hazardous waste when disposed.[7] This also applies to tanks and pods used in open-systems and advanced vaporizers to hold the nicotine-containing e-liquid.

RCRA Requirements Depend on Quantity

Hazardous waste compliance requirements vary significantly under RCRA depending on the amount of hazardous waste a facility generates each month. Thus, the generator category of a company and commensurate requirements, including storage and accumulation, recordkeeping and reporting, and training requirements could change from month to month.[8] Keeping up with these changes and ensuring a facility complies can be particularly burdensome for small businesses, such as those that constitute a large portion of the vapor industry.

Nicotine’s status as an acute hazardous waste is likely the primary driver for determining the “generator” category for an e-liquid or vapor product manufacturer. Businesses that generate acute hazardous waste (“generators”) are categorized as very small quantity generators (VSQGs) when generating up to 2.2 pounds (1 kilogram) per month, and large quantity generators (LQGs) when generating more than 2.2 pounds per month.[9] Regulatory requirements are significantly greater for LQGs, as is clear from a guidance chart developed by EPA.[10] Thus, e-liquid manufacturers have a strong incentive to operate as VSQGs or small quantity generators (SQGs).

When a generator has multiple hazardous waste streams, the generator must quantify each waste stream separately and abide by the more stringent generator category.[11] An e-liquid manufacturer will be classified as an SQG if the manufacturer does not exceed the 2.2 pound per month threshold for acute hazardous waste but generates greater than 100 pounds of non-acute hazardous waste per month.[12] For example, a generator of up to 2.2 pounds of acute hazardous waste that crossed the 220 pound threshold for non-acute hazardous waste may need to comply with SQG requirements, as opposed to VSQG requirements.

Fortunately, a generator has some options for managing hazardous wastes: recycling, treatment, storage, or disposal. Each approach has its own implications and requirements under RCRA. Recycling (e.g., nicotine reclamation) is a management method that can have a meaningful impact on the standards applicable to hazardous waste generators. Provided that the company can demonstrate the recycling is legitimate, the reclaimed nicotine will not be considered solid waste.[13] Recycling is a particularly appealing option as it can reduce the amount of material counted as hazardous waste for purposes of determining the generator category.

E-liquids May Be an Increasing Focus for Enforcement

Compliance with RCRA requirements by vapor product and e-liquid manufacturers is an increasing area of emphasis for both the states and EPA. Thus far, states have focused on outreach to the industry regarding compliance measures.[14] Such outreach typically lasts from six months to a year to provide a chance for the industry to come into compliance before the agencies transition to enforcement. Given that the e-cigarette and vaping industries have been growing for several years, and that the past two years have seen an increase in state proposals and communications concerning this issue, industry members need to consider whether regulators will pursue a more aggressive enforcement agenda in the new year and going forward. Accordingly, e-cigarette and e-liquid manufacturers should evaluate their processes and potential impact on generator status to determine whether their facilities are complying with RCRA or state analogues.

To learn more about the environmental and hazardous waste management regulations that apply to your e-liquid or vapor business, be sure to attend our upcoming E-Vapor and Tobacco Law Symposium on February 6-7, 2018 in Irvine, California. Click here to register and for more information.

For more information on our Tobacco and E-Vapor Practice, visit www.khlaw.com/evapor. For more information on our Environmental Practice, visit www.khlaw.com/Environmental. Follow Keller and Heckman Tobacco and E-Vapor Partner Azim Chowdhury on Twitter.

____________________________________________________________________

[1] 40 C.F.R. §§ 261.2(a), 261.33.
[2] 40 C.F.R. §§ 261.20-261.24.
[3] See 40 C.F.R. § 261.33.
[4] 40 C.F.R. § 261.33. See also EPA Letter to Merck Sharp & Dohme, FaxBack #11012, May 13, 1981.
[5] 40 C.F.R. § 261.33(b)
[6] Letter from Barnes Johnson, EPA, to Daniel K. DeWitt, Warner, Norcross & Judd LLP (May 8, 2015), RCRA Online #14850.
[7] Id.
[8] Recent revisions to the regulations do provide some relief to companies that consistently qualify under one category but experience an episodic event that shifts them to a more burdensome one. The rules generally limit the facility to one episodic event, however. See Hazardous Waste Generator Improvements Rule, 81 Fed. Reg. 85,732 (November 28, 2016).
[9] 40 C.F.R. § 262.13.
[10] U.S. EPA, “Hazardous Waste Generator Regulatory Summary,” available at:https://www.epa.gov/hwgenerators/hazardous-waste-generator-regulatory-summary.
[11] 40 C.F.R. § 262.13.
[12] See 40 C.F.R. § 262.13.
[13] Four factors are used to determine whether recycling is “legitimate.” 40 C.F.R. § 260.43(g). First, recycling must involve a hazardous secondary material that provides a useful contribution to the recycling process or to a product or intermediate of the recycling process. For example, the nicotine-containing materials may be the source of a valuable constituent (i.e., nicotine) recovered in the recycling process. Second, the recycling process must produce a valuable product or intermediate, which can be demonstrated by sale of the recycled product to a third party, by its use as an effective substitute for a commercial product, or by its use as ingredient in a process. Third, the generator and the recycler must manage the hazardous secondary material as a valuable commodity when it is under their control. This would entail management of nicotine-containing materials consistent with how raw nicotine is managed. Fourth, the product of the recycling process must be comparable to a legitimate product or intermediate. For example, the recycled product should meet widely recognized specifications for the raw material and not contain hazardous constituents in greater levels than a non-recycled analogue. See Letter from Barnes Johnson, EPA, to Scott DeMuth, g2revolution LLP (May 8, 2015), RCRA Online #14851.
[14] See, e.g., New Jersey Department of Environmental Protection, “Compliance Advisory Update – Compliance Assistance Available for Vape Shops and Manufacturers” (June 20, 2017), available at: http://www.nj.gov/dep/enforcement/advisories/2017-03.pdf.

Photo of Azim Chowdhury

Azim Chowdhury authored a chapter in “Dual Markets – Comparative Approaches to Regulation.” The book, first published on November 14, 2017, analyzes dual markets for regulated substances and services and aims to provide a framework for effective regulation. A “dual market” refers to the existence of both a legal and an illegal market for a regulated product.The volume focuses on nine types of markets and examines the relationship between regulation, the emerging illegal market, and the resulting overall access to each product or service. Azim’s chapter, “Regulation of E-Cigarettes in the United States” focuses on the FDA regulation of e-cigarettes under the Deeming Rule, including the current pre-market authorization requirements that could result in an effective ban on e-cigarettes in the United States. For more information, or to purchase the book, click here.

Photo of Azim ChowdhuryPhoto of Tracy MarshallPhoto of Robert Niemann

As the e-vapor industry evolves, manufacturers must keep up with an expanding legal and regulatory landscape. In addition to designing their products and services to comply, it is important for e-vapor companies to carefully assess their business practices and relationships with employees and business partners so as to best protect their confidential information and intellectual property, minimize their liability when relying on third party vendors, distributors and independent contractors, and ensure that they comply with applicable laws when advertising, marketing, and selling their products and services to consumers. This checklist highlights ten business, advertising, and intellectual property considerations for e-vapor companies doing business in the United States. Other countries may have different (and in some cases more stringent) requirements, so companies should understand their obligations wherever they conduct business. This checklist is provided for general information purposes. It is not intended to provide a comprehensive summary of applicable laws, and does not constitute legal advice. 

For more information, please contact:

Azim Chowdhury (+1 202.434.4230; chowdhury@khlaw.com)
Tracy P. Marshall (+1 202.434.4234; marshall@khlaw.com)
Robert S. Niemann (+1 415.948.2827; niemann@khlaw.com)

Printable Brochure

Photo of Azim Chowdhury

Azim Chowdhury was interviewed in VB2B’s Winter Edition. Azim discussed current events in the e-vapor industry and what companies need to do in the face of rapid regulatory change.

  1. What are the different services Keller Heckman offers the business owners?

We are a regulatory law firm specializing in the U.S. Food and Drug Administration (FDA), European Union (EU), and global requirements for e-vapor products. Our expertise is in promoting, protecting, and defending products made by the spectrum of industries regulated by government agencies which, in the United States, now includes e-vapor products since FDA’s Deeming Regulation became effective on August 8, 2016. For over 50 years, Keller and Heckman has provided global legal counseling in the areas of regulatory law, litigation, and business transactions. With offices in Washington, D.C., Brussels, Paris, San Francisco, and Shanghai, the firm is a pioneer in the use of interdisciplinary approaches to problem-solving. Further details regarding our services and personnel can be found at www.khlaw.com. With respect to e-vapor products specifically, our comprehensive and extensive experience dealing with the regulation of food, drugs, medical devices, dietary supplements, and packaging before FDA and regulatory agencies around the world uniquely positions us to guide e-vapor companies through the Deeming Regulation and other requirements for various products. We currently represent e-liquid and device manufacturers and trade associations in matters of federal, state, and global regulatory compliance. We defend lawsuits, including class actions, against e-liquid companies. We are also currently representing the Right to be Smoke-Free Coalition and a number of industry trade associations in Federal district court in Washington, D.C., challenging aspects of the Deeming Regulation and the Tobacco Control Act. You can learn more about our e-vapor specific practice on our website at www.khlaw.com/evapor.

  1. Without exposing any confidential information or creating a conflict of interest, what types of companies in this industry do you represent? 

We represent a broad spectrum of e-vapor industry stakeholders, including ingredient suppliers, manufacturers (both e-liquid and devices), distributors and retailers, and trade associations of such companies located in the United States and around the world.

  1. What is the R2B foundation? How can businesses help support its cause?

In July 2015, a group of e-liquid companies came together to form the Right to be Smoke-Free Coalition—a non-profit, industry-led trade association of e-vapor businesses dedicated to promoting the interests of the industry, as well as for the right of vapers to be smoke-free. The specific goal of the Coalition is to legally challenge in court unconstitutional state and federal laws related to the vape industry. The first case that we took on for the Coalition was the unconstitutional e-liquid ban in Indiana. We are still fighting that battle in the 7th Circuit Court of Appeals. We are also challenging the approach FDA took in the Deeming Regulation in regulating vapor products.

Specifically, our position is that FDA’s treatment of vapor products, which is more onerous than cigarette products, violates the Administrative Procedure Act (APA), among other laws. Our main concern is that forcing all vapor products on the market today to go through the Premarket Tobacco Application (PMTA) process within 2 years (where each application is expected to cost hundreds of thousands if not millions of dollars), will result in a virtual ban of all products within 3 years. In short, this regulation will kill the industry. That is why we must come together now to fight this regulation and force FDA to take a more reasonable approach.

The FDA litigation is expected to cost between $1-2 million over the next couple of years (including appeals).  The Coalition is actively recruiting responsible vapor companies to join and contribute to the cause. The more reputable companies that join the Coalition, the less the financial burden will be for all members to fight these laws in court. In terms of contribution amounts, companies have donated between $5,000 and $50,000. But, any amount will help! You can join and contribute here: www.r2bsmokefree.org.

  1. What was going through your mind when you started R2B?

The original e-liquid companies that came together—Vapor Shark, Cosmic Fog Vapors, Mt Baker Vapor and NicQuid—recognized that there was a huge need for an industry-led coalition to challenge laws in court, particularly when the lobbying efforts to prevent such laws were unsuccessful. Indiana was the first example of this, but there are many other states with laws that may challenge, including California and Pennsylvania.

  1. What is your background of expertise? How many years have you been experienced in the field?

I have been practicing law for 10 years and am a Partner in Keller and Heckman’s food and drug law group, where I have been focusing on the e-vapor industry since 2009. Beyond my tobacco and e-vapor work, I advise domestic and foreign corporations in matters of FDA and international regulatory compliance. In particular, I assist companies in establishing clearances for food and drug additives and food-contact substances. I am also a frequent contributor to the Tobacco Reporter and the Food and Drug Law Institute’s (FDLI’s) Update magazine. I have edited and co-authored FDLI’s upcoming manual: Tobacco and Nicotine Delivery: Regulation and Compliance, 2nd Edition. I have also previously served on the Editorial Advisory Board of the Food and Drug Law Journal.

  1. What types of law can your firm practice for potentially interested readers?

We practice in a wide variety of areas of potential interest to your readers including: Advertising & Promotion, Business Counseling and Transactional, Chemical Control (REACH, TSCA), Environmental, Litigation, Product Safety, Telecommunications, Workplace Safety and Health, among other areas. Our full practice list can be found here: http://www.khlaw.com/areas.aspx.

  1. How many partners does Keller Heckman currently have, how many on staff? 

We currently have 41 Partners, 24 of which practice in our food and drug law group. In addition to our legal staff, we have about 20 in-house scientists who work closely with the firm’s attorneys on matters of technical complexity (including e-liquid toxicity assessments, for example).

  1. What are some of the obstacles manufacturers and retailers have to overcome to manufacture finished American vapor products for retail sale in the USA, while now under federal regulation?

Since the Deeming Regulation became effective on August 8, 2016, e-liquid and e-vapor products are now regulated by FDA as tobacco products. That means they are subject to a host of regulatory requirements including establishment registration, product listing, ingredient reporting, health document submissions, warning requirements and, most critically, premarket review via the Premarket Tobacco Product Application (PMTA).  Products on the market on the August 8 effective date can take advantage of a two-year grace period before the PMTA deadline on August 8, 2018. But, new products cannot enter the market today (post-8/8/16) without first getting PMTA authorization.

  1. What are some of the requirements, and the timelines, for manufacturers who had their products on the market before August 8, 2016?

FDA’s full Deeming compliance calendar is available here: http://www.fda.gov/downloads/TobaccoProducts/GuidanceComplianceRegulatoryInformation/UCM501016.pdf. For products that were on the market on August 8, 2016, here are the important deadlines:

  • Register facilities and submit product listings by December 31, 2016 for all U.S. establishments (this does not yet apply to foreign establishments, including Chinese manufacturers, but FDA has indicated it will propose a new rule to extend this requirement to foreign establishments).
  • Submit ingredient lists (i.e., product formulations) by February 8, 2017 (or by August 8, 2017) for small-scale manufacturers.
  • Submit health and safety studies (developed between June and December 2009) by February 8, 2017 (or by August 8, 2017 for small-scale manufacturers).
  • Submit PMTAs by August 8, 2018.
  • Have compliant labeling by May 10, 2018 (e.g., name and place of business, quantity of the contents, and “Sale only allowed in the United States” disclaimer), and the nicotine addiction warning by August 8, 2018.
  1. What are some of the scientific requirements of PMTA applications and how would you recommend manufacturers to go about obtaining such information about their products?

The Tobacco Control Act requires a PMTA to include the following:

  • full reports of all investigations of health risks;
  • a full statement of the components, ingredients, additives and properties, and principles of operation of the tobacco product;
  • a full description of methods of manufacturing and processing;
  • an explanation of how the product complies with any applicable tobacco product standards;
  • samples of the product and its components; and
  • specimens of proposed labeling.

FDA has issued a guidance document to assist manufacturers with preparing and submitting a PMTA, which is available here: http://www.fda.gov/downloads/TobaccoProducts/Labeling/RulesRegulationsGuidance/UCM499352.pdf. The guidance details the information that should be submitted in order to meet the statutory criteria set forth above, and it further recommends the submission of particular additional materials (such as a cover letter and executive summary) that will assist FDA in the review of the submission. Of particular note, FDA has interpreted the provision regarding the “full reports of investigations of health risks” required under the Act to require submission of not only investigations that support the PMTA, but also any investigations that do not support, or are adverse to, the application. FDA further recommends that a PMTA provides information on both nonclinical and clinical investigations, including, but not limited to, any studies assessing constituents of tobacco or tobacco smoke, toxicology, consumer exposure, and consumer use profiles. In addition, FDA recommends that manufacturers provide information on (i) investigations concerning products with novel components, ingredients, additives or design features that are similar or related to those of the new tobacco product, and (ii) investigations concerning products that share novel components, ingredients, additives, or design features with the new tobacco product so that FDA may adequately assess the health risks of the product. The PMTA Guidance contains other detailed recommendations to assist manufacturers in making the required statutory showings, including general principles for scientific studies, product chemistry, nonclinical studies, and studies in adult human subjects.

  1. What would you say was the biggest hurdle you had to overcome throughout your venture as one of the partners of Keller Heckman?

The highlight of my career is actually not related to my food and drug or e-vapor practice, but to my pro bono work. A few years ago, I had the opportunity to assist a young boy and his family obtain asylum in the United States. It was a heartbreaking story—my clients had fled their home country of El Salvador because of the physical violence and threats of death they faced at the hands of the notorious, internationally-known criminal enterprise, the Mara Salvatrucha (MS-13). The gang had singled out my clients and an additional family member for refusing to join them, and actually murdered one of the brothers. Although asylum is rarely granted to the victims of gang-based violence abroad, the Executive Office of Immigration Review agreed that my clients’ case was distinguishable from other cases involving victims of gang violence. They are now productive U.S. residents and hope to become citizens.

  1. What’s the firm’s number one goal for the future?

Our goal is to continue to provide creative legal, scientific, and business solutions for our clients. We are here to help you grow your business, using both law and science.

  1. If you yourself could share one piece of advice with retailers what would it be?

Work with reputable suppliers who plan on doing their best to comply with the law itself (check IDs, no free samples, etc.) and help fund the litigation and lobbying efforts to change the law.

  1. If you had all of the vapor product manufacturers in America in one room, what would you say to them?

The industry must come together with one voice if it is going to survive. We are all on the same team.

     15. What are some new regulations or upcoming changes we can expect to see on the market in the  near future?

The Deeming Regulation is a “foundational” rule that gives FDA authority over deemed products, including e-vapor. There will be more regulations in the future covering, for example, advertising restrictions, Good Manufacturing Practices, online sales, and possible restrictions or prohibitions on the use of flavors. Those regulations would have to go through separate Notice and Comment Rulemaking processes and so are likely years away.