Photo of Azim Chowdhury

As previously reported on this blog, on November 15, 2018, citing new data from the 2018 National Youth Tobacco Survey (NYTS) that showed a surge in e-cigarette use among youth, U.S. Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D. announced new steps aimed at curtailing illegal underage use of e-cigarettes by limiting where such products can be purchased.  More specifically, the Commissioner indicated that FDA would seek to limit the sale of flavored e-cigarettes (excluding tobacco, mint and menthol flavored products) to (1) brick-and-mortar retailers that permit entry only to adults (18+), or that have a walled-off adult-only section where flavored products can be viewed and purchased; and (2) in online stores that implement soon-to-be-announced “heightened” age-verification measures.[1]

With respect to online sales of flavored e-cigarettes, while FDA has not yet provided direction on how companies should verify the age of those purchasing such products over the internet, FDA said that it plans to identify and publish a list of best practices for online retailers. It is possible that the Agency will implement guidance that includes similar requirements to those found in California’s Stop Tobacco Access to Kids Enforcement Act (STAKE Act) – a law which California authorities are increasingly enforcing.

California’s STAKE Act

California law prohibits the sale of tobacco products to anyone under the age of 21[2], and the STAKE Act imposes mandatory steps that online distributors and sellers of tobacco products are required to follow to verify that a purchaser of these items is 21 years of age or older. The Act defines “tobacco products” to include an “electronic device that delivers nicotine or other vaporized liquids to the person inhaling from the device, including, but not limited to, and electronic cigarette, cigar, pipe, or hookah.”[3]

The steps required under the STAKE ACT are summarized below.

  • Attempt to match the name, address and date of birth provided by the customer to information contained in records in a database of individuals whose age has been verified to be 21 years or older by reference to an appropriate database of government records kept by the distributor, a direct marketing firm or any other entity.
  • Verify that the billing address on the check or credit card offered for payment by the purchaser matches the address listed in the database.
  • If unable to verify that the purchaser is 21 years of age through the above, require the customer or recipient to submit an age-verification kit consisting of an attestation signed by the customer that he or she is 21 years of age or older and a copy of a valid form of government identification.
  • Verify that the billing address on the check or credit card provided by the consumer matches the address listed in the form of government identification.
  • For credit card transactions, submit information to each credit card company so that the words “tobacco product” may be printed in the purchaser’s credit card statement.
  • Regardless of the form of payment, prior to shipping the tobacco product to a California customer, make a telephone call after 5 p.m. to the purchaser or recipient confirming the order. The call may be a recorded message left on voicemail.
  • Deliver only to the purchaser or recipient’s verified billing address on the check or credit card used for payment. Delivery to a post office box address is prohibited.[4]

Enforcement of the STAKE Act

California is actively pursuing businesses that violate the STAKE Act, both through warning letters from the state Department of Justice, as well as legal action. The warning letters, which may include violations of additional statutes (e.g., Propositions 56 and 65), outline the obligations to businesses and the requirements that they must to take to ensure that their tobacco products—including electronic cigarettes and vapor devices—are not being sold to anyone under 21 years of age. The letters also remind recipients that:

“Section 22963 [the STAKE Act] provides for civil penalties of up to $2,000 for the first violation of its requirements, $3,500 for the second violation, $5,000 for the third violation, $6,500 for the fourth violation, and $10,000 for each subsequent violation in a five-year period.”

Legal action taken by California includes a lawsuit filed in the Superior Court of the State of California, County of Los Angeles on October 31, 2018, naming Kandypens Inc., a manufacturer and online retailer of vaping products, as the defendant. The enforcement action seeks injunctive relief and civil penalties for violating the STAKE Act, and other statutes.

Noting that “…any child with a prepaid gift card and an internet connection can easily purchase Kandypens’ vaping devices and e-liquids through Kandypens’ website because Defendant fails to follow state-mandated procedures for verifying a purchaser’s age,” the enforcement action requests that Kandypens be enjoined from selling vaping products over the internet without first verifying the purchaser’s age. It also requests that the Defendant be assessed civil penalties for each violation of the STAKE Act, in addition to penalties for violating of other statutes.

While we await FDA’s final guidance for online e-cigarette retailers, businesses selling tobacco products to consumers in California over the internet need to be in compliance with the STAKE Act now. Although it is not yet clear what “heightened” online age-verification measures FDA will require, it is certainly possible that the Agency will turn to states like California for guidance.

______________________________________

[1]           U.S. Food & Drug Admin., FDA Statement, Statement From FDA Commissioner Scott Gottlieb, M.D., on Proposed New Steps to Protect Youth by Preventing Access to Flavored Tobacco Products and Banning Menthol in Cigarettes (Nov. 15, 2018) (hereinafter, the “FDA Nov. 15, 2018 Statement”), https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/UCM625884.htm?utm_campaign=111518_Statement_FDA%20Commissioner%20statement%20on%20p

[2] Cal. Bus. & Prof. Code § 22958(a).

[3] Cal. Bus. & Prof. Code § 22963(a).

[4] SB 7, amending Cal. Bus. & Prof. Code § 22963.

Photo of Azim Chowdhury

Keller and Heckman is pleased to announce the agenda for this year’s E-Vapor and Tobacco Law Symposium. This comprehensive 2-day course will provide you with guidance on how to stay in compliance with FDA’s recent announcements and much more. Click here to view the agenda.

Topics that will be covered include: FDA and State law compliance, HPHCs and PMTAs, Advertising and Marketing, European Union and Global laws, Environmental, OSHA and CPSC compliance, CBD and cannabis-derived products, and more!

To register, click here.

Seminar Details:
Date: January 29 – 30, 2019
Cost: $899 if you register by January 4, 2019; $1,099 if you register after January 4, 2019
*register 3 or more attendees from the same company and receive a 10% discount. Email seminars@khlaw.com for additional information.

Continuing Legal Education (CLE)
CLE credits are available, pending state approval

Location

Marriott Miami Biscayne Bay
1633 N Bayshore Drive
Miami, FL 33132

Keller and Heckman has negotiated a preferred room rate of $259 per night, plus tax at the Marriott Miami Biscayne Bay. Reservations must be received no later than January 7, 2019. To make your reservation, please click here.

This year’s E-Vapor and Tobacco Law Symposium will feature a conference app; stay tuned for details on downloading the app!

Learn how to stay in compliance with FDA’s recent announcements and much more at Keller and Heckman’s upcoming E-Vapor and Tobacco Law Symposium on January 29 – 30, 2019, in Miami, Florida. Below is a sampling of topics that will be covered at the event. Sign up now and take advantage of our early bird discount!

FDA Regulation Update and Preparing for What’s Next
Azim Chowdhury

  • FDA’s New Announcement: How it Will Impact Your Business
  • Product Compliance Overview: Vapor, Cigars, Hookah
  • Flavors and Product Standards
  • Reporting on Harmful and Potentially Harmful Constituents (HPHCs)
  • Premarket Review for Deemed Tobacco Products
  • PMTAs, SE Reports, and Using Master Files
  • Potential Over-the-Counter Drug Pathway
  • Status of Proposed Rulemakings
  • Modified Risk Tobacco Products
  • Online Sales – “Heightened” Age-Verification
  • Retailer Compliance and Adults-Only Requirement
  • Enforcement and Penalties
  • …and much more!

FDA Inspections: Are You Prepared?
Azim Chowdhury and Daniel Rubenstein

  • Overview of FDA Inspection Authority
  • Update on Tobacco Product Manufacturing Practices
  • The FDA Inspection: Before, During and After
  • Enforcement and Penalties
  • Keller and Heckman’s Audit and Inspection Program (AIP)

Key Litigation Update
Eric Gotting

  • Nicopure and Right to be Smoke-Free Coalition v. FDA (Deeming Rule Appeal)
  • American Academy of Pediatrics v. FDA
  • Potential Upcoming Litigation (e.g., flavor and convenience store bans)

Environmental Issues Affecting Nicotine-Containing Products
JC Walker

  • Overview of Hazardous Waste Regulations Governing E-Liquid Manufacturers and Distributors
  • Considerations for Minimizing Regulatory Exposure

OSHA’s Hazard Communication Standard and Considerations for the E-Liquid Industry
Manesh Rath

  • Overview of OSHA’s Hazard Communication Standard (HCS)
  • Scope of Standard and Exemptions
  • Safety Data Sheets (SDSs)
  • Labeling
  • Employee Training
  • Future Challenges for E-liquid Industry

Advertising and Marketing: Implications for Global Public Policy and the Role of Self-Regulation
Sheila Millar

  • Marketing Practices: Impact on Public Perception, Regulations, Enforcement and Litigation
  • Expanding Global Concerns About Child-Appealing Marketing
  • Creating and Implementing Effective Advertising Self-Regulation

Business, IP, and Advertising Issues – How to Stay in Compliance                                       
Tracy Marshall and Bob Niemann

  • Drafting and Negotiating Vendor, Manufacturing, and Distribution Agreements
  • Insurance Policies for Vapor Companies
  • Protecting Trademarks, Copyrights, and Trade Secrets and Avoiding IP Infringement
  • Privacy and Data Security
  • Using Digital Marketing to Promote Your Business
  • Conducting Contests, Sweepstakes, and Other Promotions

State Law Update
Azim Chowdhury

  • Overview of State permit, licensing and tax requirements for tobacco and vapor products
  • Age-verification and delivery requirements

How to Sell Your Products in the EU (Without Getting into Problems): TPD and Beyond
Marcus Navin-Jones

  • Refresher on TPD Requirements
  • EU Requirements which Apply in Addition to the TPD
  • EU Law vs National Law: Areas where EU Countries are Allowed to Have their Own Rules
  • Recalls Withdrawals and Legal Crisis Management.
  • Brexit and How Brexit is Affecting the Vape Industry

Going International: Preparing Your Business for Global Compliance
David Ettinger

  • Current Regulatory Status of Vapor Products Around the World
  • China and Asia
  • New Zealand
  • Australia
  • Russia, India, Middle East, and More
  • World Health Organization

In addition to the topics above, we will also have special guest speakers from Cardno ChemRisk, Broughton Laboratories and others on topics including Premarket Tobacco Product Applications and HPHC Reporting. Stay tuned for the full agenda!

To register, click here.

Seminar Details:
Date: January 29 – 30, 2019
Cost: $899 if you register by January 4, 2019; $1,099 if you register after January 4, 2019
*register 3 or more attendees from the same company and receive a 10% discount. Email seminars@khlaw.com for additional information.

Continuing Legal Education (CLE)
CLE credits are available, pending state approval

Location
Marriott Miami Biscayne Bay
1633 N Bayshore Drive
Miami, FL 33132

Keller and Heckman has negotiated a preferred room rate of $259 per night, plus tax at the Marriott Miami Biscayne Bay. Reservations must be received no later than January 7, 2019. To make your reservation, please click here.

For additional information, please contact:

Sara A. Woldai, CMP
Manager, Marketing Meetings and Events
woldai@khlaw.com
202.434.4174

Photo of Azim ChowdhuryPhoto of Benjamin Wolf

The U.S. Food and Drug Administration (FDA) is expected to announce today detailed plans to curtail the growing number of youth who are using certain types of e-cigarette products. Below is a summary of the Agency’s recent actions and compliance deadlines.

September 12, 2018 Letters to Vuse, Blu, JUUL, MarkTen XL, and Logic

  • On September 12, FDA sent letters to the manufacturers of five Electronic Nicotine Delivery System (ENDS) products (Vuse [British America Tobacco], Blu [Imperial Brands], JUUL [JUUL Labs], MarkTen [Altria] and Logic [Japan Tobacco]) “requiring them to submit important documents to better understand the reportedly high rates of youth use and the particular youth appeal of their products.”  These cartridge-based (closed system) products account for 97% of the closed-system cartridge-based e-cigarette market.
  • FDA indicated that it believes e-cigarette use by youth “is reaching epidemic proportions”.  FDA Commissioner Dr. Scott Gottlieb asked the five manufacturers to “come back to the FDA in 60 days with robust plans on how they’ll convincingly address the widespread use of their products by minors, or [FDA will] revisit the FDA’s exercise of enforcement discretion for [flavored ENDS] products currently on the market.”  Dr. Gottlieb continued, “This may require those brands to revise their sales and marketing practices, including online sales; to stop distributing their products to retailers who sell to kids; and to remove some or all of their flavored e-cig products from the market until they receive premarket authorization and otherwise meet applicable requirements.”
  • In an October 31 Statement,  Commissioner Gottlieb announced that he had met with the five manufacturers and heard their comments and proposals on how each company would address sales to minors, and how each company thought FDA should regulate to address the same issue.  Altria subsequently announced that it would cease sales of its MarkTen cartridge-based products, as well as its flavored cigalike products other than tobacco and menthol; Fontem Ventures indicated it will tighten its age-verification process and raise the age for online sales to 21;  and JUUL has announced that it will only permit the sale of flavored products (e.g., cucumber, mango, crème and fruit) through its age-verified online-store, while restricting brick-and-mortar retailers to only tobacco, mint and menthol-flavored pods. JUUL further announced it would be increasing retailer compliance efforts, reduce its social media presence, and develop technology to further reduce the use of its products by youth.

October 12, 2018 Letters to 21 Manufacturers Regarding Potentially Unauthorized New Tobacco Products

  • On October 12, FDA “sent letters to 21 e-cigarette companies . . . seeking information about whether more than 40 products . . . are being illegally marketed and outside the agency’s current compliance policy.”  These letters asked manufacturers to provide documentation within 30 days of receipt demonstrating that the identified products were on the market on August 8, 2016 and have not been modified since that date.
  • This effort is a clear indication that FDA intends to ramp up its enforcement of the marketing authorization provisions and that ENDS products introduced to the market after August 8, 2016 can expect enforcement.

October 22 – 23, 2018 FDA Public Meeting on Tobacco Product Application Review

  • FDA held a meeting (video available) to discuss FDA’s review of premarket applications.
  • Topics included:
    • Substantial Equivalence (and requests for exemption);
    • Premarket Tobacco Product Applications (PMTAs);
    • Modified Risk Tobacco Product Applications (MRTPAs);
    • Pre-submission meetings;
    • Tobacco Product Master Files (TPMFs);
    • Resources available;
    • Environmental Assessments; and
    • Newly Deemed Tobacco Products

November 8, 2018 Ingredient Listing for Small-Scale Tobacco Product Manufacturers

  • Ingredient Listing submissions were due to FDA on November 8 for small-scale manufacturers of Newly Deemed Tobacco Products.  Ingredient listing is a requirement for all tobacco products marketed in the United States, regardless of where manufactured.  For more on ingredient listing, see our most recent blog posts here and here (all ingredient listing related posts are here).
  • For small-scale manufacturers impacted by recent natural disasters, FDA has extended the deadline to submit until May 8, 2019.
  • In a revised guidance published in April 2018, FDA clarified that it now intends to enforce the ingredient listing requirement only with respect to those tobacco product components or parts, such as e-liquids, that are made or derived from tobacco, or contain ingredients that are burned, aerosolized or ingested (i.e., consumed) during use.

December 5, 2018 Public Hearing Announced to Discuss FDA’s Efforts to Eliminate Youth Electronic Cigarette Use

  • As previously reported on Keller and Heckman’s Daily Intake blog, On November 2, 2018 FDA announced a public hearing scheduled for December 5, 2018 to discuss continued efforts to curb e-cigarette use and to aid cessation amongst youth. Topics of interest noted in Dr. Gottlieb’s press release focus on cessation and include:
    • Potential role of drug therapies to support cessation of e-cigarettes and traditional tobacco products use (including cigarettes and smokeless tobacco) amongst youth;
    • Behavioral interventions to aid in cessation;
    • Development of cessation drugs;
    • Development of methods, study designs, and measures for evaluating drugs for use in youth cessation; and
    • Funding opportunities for research on youth use, attitudes, and cessation.

Modification to FDA’s Unified Registration and Listing System Tobacco Registration and Listing Module

  • In early November, FDA updated its FDA Unified Registration and Listing (FURLS) Tobacco Registration and Listing Module (TRLM) to be more user friendly.  The information required for registering a facility and providing product lists does not appear to have changed, but the process should be simpler and more user-friendly.
  • As a reminder, facility registrations must be renewed annually by December 31. Changes to product lists to reflect new products being manufactured, products no longer being manufactured, or changes to labeling/packaging, advertising, or consumer information, must be made by June 30 and December 31 every year.  This means that any labels that have changed to include FDA’s required nicotine warning statement, for example, will need to be updated in FURLS.

Impending FDA Actions

  • In recent weeks, FDA has announced through the press that it is considering banning, or otherwise severely limiting, the sales of flavored (except tobacco and menthol), cartridge-based e-liquids in convenience stores and gas stations, and that it is considering proposing a rule to ban menthol in cigarettes as well as characterizing flavors in other combusted tobacco products (e.g., cigars).

We will report further as additional details of any marketing or other restrictions are released.

Photo of Azim ChowdhuryPhoto of Daniel RubensteinPhoto of Benjamin Wolf

In a widely anticipated move, FDA has significantly increased the frequency of inspections of vapor manufacturing and retail facilities over the past few weeks, with some inspections spanning two days. We have received reports from vapor businesses across the country that they are receiving unannounced visits from FDA investigators conducting biannual inspections pursuant to Sections 704 and 905 of the Food, Drug, and Cosmetic Act as amended by the Tobacco Control Act. Under the Act, FDA is required to inspect every tobacco manufacturing facility at least once every two years. FDA uses a broad definition of manufacturing – repacking and relabeling are considered manufacturing acts and retailers that mix e-liquids for consumer sale are considered manufacturers.

During the course of their inspection, FDA investigators have requested product samples, labeling and invoices for raw materials, and labeling and invoices for finished goods. We understand that inspections have included both production (cleanroom) and non-production areas and have made use of photography and recordings. FDA appears also to be doing a lot of “fact finding” – learning as much as they can about the industry and how these products are manufactured and distributed, potentially for use in the development of future guidance documents and rulemakings.

We have also received reports of inspectors visiting vapor businesses from other agencies, including the Federal Aviation Administration (FAA), federal and state Environmental Protection Agencies (EPA), as well as state inspectors (e.g., California Department of Tax and Fee Administration).

As FDA continues to visit facilities across the country, it is critical that manufacturers, including retailer-manufacturers, understand the types of information that they are required to provide to the Agency upon request, as well as the type of that information that can or should be withheld. Similarly, Companies should understand the scope of authority that an FDA Investigator has in asking for specific product details. Vapor product manufacturers should fully prepare for their impending inspection now, so that they can demonstrate a high-degree of confidence when FDA arrives. Critically, and as third-party consultants begin to enter the Good Manufacturing Practice (GMP) space, manufacturers and retailer-manufacturers should ensure that the guidance they receive from outside counsel is accurate and based on experience in sound science and law and is protected from disclosure to FDA by attorney-client privilege.

Audit and Inspection Program Completes Coast-to-Coast Site Visits in First Half of 2018

Keller and Heckman’s Audit and Inspection Program (AIP) provides companies that are involved in any aspect of the tobacco or vapor product supply chain with assurance that their facilities are operating in accordance with FDA requirements. AIP Program attorneys have completed audits from Florida to California since the Program first began in early 2018, and feedback has been overwhelmingly positive:

Having your team run a thorough inspection was extremely helpful in preparing us for a “real” FDA inspection. The knowledge and insight you guys were able to provide my “Team Awesome” will certainly help us navigate through the regulations and future inspections. During this interesting time for the industry, and as a responsible manufacturer, we must do everything possible to ensure we are going above and beyond what potential GMP’s may be down the road to keep consumers and the industry’s reputation safe.

As “cool” as some people think it is to be a manufacturer in the vape industry, it’s not to be taken lightly. We try to do everything possible to provide our consumers and retailers with top quality products that are manufactured in a clean and safe environment. Having your team come in to review our facility and manufacturing practices gives us confidence that we are doing exactly what we have set out to accomplish!

The AIP Program includes both audit and training components from attorneys experienced in tobacco and vapor law, inspections, and good manufacturing practices, and addresses a broad range of inspection activities, including: recordkeeping, product labeling, product samples, requests for video/audio/photographic recordings, standard operating procedures, cleanliness and sanitation, inventory control, and personnel interviews.

Audits by the AIP Program staff are covered by attorney-client privilege and attorney work-product privilege.

Pre-registration for the AIP is available immediately by filling out the form available here:

Tobacco and Vapor Product Manufacturing Establishment Audit and Mock Inspection Program Pre-Registration Form

The completed pre-registration form can be E-mailed to chowdhury@khlaw.com, faxed to (202) 434-4646, or mailed to:

Keller and Heckman LLP
Attn: Azim Chowdhury
1001 G Street NW, Suite 500 West
Washington, D.C. 20001

Space is limited, and scheduling is generally available on a first-come, first-serve basis.

Photo of Azim ChowdhuryPhoto of Tracy Marshall

The new European Union (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive on May 25, 2018 and will directly impact all companies, including vapor product retailers and businesses, that market and sell products to consumers in the EU and/or employ residents of the EU. The reforms will give European consumers new rights and control over the personal data collected from and about them, and impose new obligations on businesses within and outside of the EU that collect personal information from EU citizens, regardless of where they reside, or from individuals who reside in the EU, regardless of their nationality.  Given the magnitude of potential penalties for violations of the GDPR (supervisory authorities are authorized to impose fines of up to 4% of global annual turnover for serious infringements and 2% for less serious infringements), it is imperative that vapor product retailers and others selling into the EU or handling data about Europe-based individuals ensure they are GDPR-ready.

The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.

Most companies operate with multiple streams of data, such as HR data, consumer data, vendor/supplier data, and the like. A good starting point is for businesses to assess their current data collection practices and identify gaps, and use that to map out a step-by-step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world.

We provide below a summary of the key requirements in the GDPR and a compliance checklist for businesses. Please note that the summary and checklist are provided for informational purposes only, and do not constitute legal advice regarding specific facts or circumstances.

GDPR KEY REQUIREMENTS
Personal Data The term “personal data” means “any information concerning an identified or identifiable natural person.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Extraterritorial Effect The Regulation applies not only to the processing of personal data by controllers and processors in the EU, but also the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, if the processing activities are related to offering goods or services to the data subjects or monitoring their behavior within the EU.
Lawfulness of Processing To be lawful, at least one of the following must apply:

  • The data subject consents;
  • Processing is necessary for the performance of a contract to which the data subject is a party;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (under EU or Member State law);
  • Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (under EU or Member State law);
  • Processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Consent Consent to processing must be unambiguous, specific, informed, and freely given (for example, checking a box at a website or choosing technical settings). Pre-checked boxes do not constitute consent. For sensitive data (for example, data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), consent must be explicit. When processing has multiple purposes, consent should be given for all of them. Consent may be withdrawn.
Data Processing Processing of personal data must be lawful, fair, and transparent. Individuals should be made aware of the risks, rules, safeguards and their rights in relation to the processing of personal data. The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Time limits should be established for erasure or periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality.
Right to be Forgotten Individuals have a right to request deletion of data, with some exceptions (for example, if retention is legally required).
Data Portability Individuals have the right to easily transfer personal data between different service providers.
Children Special rules apply to children’s data. Where a child is below age 16, processing is lawful only if parents or guardians consent. Member States may establish a lower age for these purposes, so long as the age is not below age 13.
Controller Responsibility Personal data must be processed under the responsibility and liability of the controller, who must ensure and document compliance for each processing operation. Controllers should only use processors who provide sufficient guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures that will meet the requirements of the Regulation. Adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance. There must be controller-processor agreements in place that describe the subject matter, duration, nature and purposes of the processing, type of personal data, and categories of data subjects. Upon completion of the processing, the processor must, at the controller’s election, return or delete the data, unless the processor is required by law to store it. Joint and several liability for controllers and processors.
Data Protection Impact Assessments

Data controllers must conduct Data Protection Impact Assessments (DPIAs) for “risky” processing. DPIAs should be completed before beginning any type of processing which is “likely to result in a high risk.” This means even though the actual level of risk may not have been assessed, a DPIA may be necessary based on identifying factors that point to the potential for a widespread or serious impact on individuals. Some jurisdictions may impose DPIA requirements on specific types of processing.

 

If the DPIA indicates that processing involves a high risk that cannot be mitigated, controller should consult supervisory authority (DPA) prior to the processing.

Data Protection Officer Organizations must appoint a data protection officer (DPO) in three situations: the processing is carried out by a public authority; the core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or the core activities involve processing sensitive data or criminal convictions on a large scale.
Documentation Controllers and processors must document all processing and make documentation available to DPA on request.
Data Breach Notification Controllers must notify DPA within 72 hours of learning of a breach, where feasible; no notification is required if a breach is unlikely to result in risk to the rights or freedoms of individuals. Controllers must notify data subjects without undue delay, where the breach is likely to result in a high risk to their rights or freedoms. Notifications to data subjects should describe the nature of the breach and recommendations for individuals to mitigate potential adverse effects. Processors must notify controllers.
Streamlined Approvals A single DPA can be designated the lead, enabling multiple DPAs to handle cases in a more streamlined manner.
Codes of Conduct and Certification Codes of conduct are encouraged, and are subject to approval by the Commission, and compliance should be monitored by an appropriate expert, accredited body. Approved codes of conduct will be registered and published. Data protection certification mechanisms, seals and marks are encouraged.
Transfers to Other Countries Transfers to other countries are permitted based on a determination that the country provides adequate protection of privacy; transfers are subject to adequate safeguards (for example, binding corporate rules, standard contractual clauses, an approved code of conduct, approved certification mechanisms, explicit informed consent).
Reduced Notifications Supervisory notifications about data processing are no longer required, but permission is required to process certain categories of data.
Art 29 Working Party (WP29) WP29 will be “upgraded” to an independent European Data Protection Board.
WP29 Guidance WP29 has issued guidance on several aspects of the GDPR that provide clarification and recommendations:

DPA Enforcement DPAs have enhanced enforcement powers, including expanded investigatory authority.
Complaints and Remedies EU citizens can lodge complaints with local DPAs, even where data is processed extra-territorially, and have the right to a judicial remedy against supervisory authorities who fail to act and against controllers and processors.
Penalties DPAs are authorized to impose fines of up to 4% of global annual turnover for certain serious infringements; 2% for less serious infringements.


GDPR Compliance Checklist 

Types of Personal Data Collected
Identify types of data collected
Identify sensitive data
Identify data collected from children/ whether parental consent is required
Data Processing
Appoint data protection officer (DPO)
DPOs must be appointed if:

  • The processing is carried out by a public authority;
  • The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  • The core activities involve processing sensitive data or criminal convictions on a large scale.
  • May also be Operating/established in a jurisdiction (such as Germany) with more stringent requirements.
  • WP29 guidance on DPOs
  • “Core activities”: defined by WP29 as those that are integral to “the controller’s or processor’s activity.”
  • “Large scale”: WP29 recommends that businesses consider the number of data subjects concerned; the volume of data or range of data items; and the duration and the geographical extent of the processing.
  • “Regular and systematic monitoring”: WP29 states this would “include all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.”
Confirm the lawful basis for the processing:

  • Consent
  • Necessary for compliance with a legal obligation to which the controller is subject
  • Necessary for the performance of a contract to which the data subject is a party
  • Necessary to protect an individual’s vital interest
  • Legitimate interests of the controller (i.e., providing client services or preventing fraud)
  • Transfers of personal data among controllers within an affiliated group for internal administrative purposes
  • Strictly necessary and proportionate for ensuring network and information security
If consent is the basis for the processing:

  • Must be unambiguous, specific, informed, and freely given
  • Must obtain consent for each processing activity/purpose
  • Explicit consent required for sensitive data
Confirm that personal data collected is adequate, relevant and limited to what is necessary for the purpose(s)
Determine whether a data protection impact assessment (DPIA) is required (high-risk processing)

  • Systems that analyze a person’s economic situation, location, health, personal preferences, reliability or behavior
  • Video surveillance systems
  • Data in large scale filing systems on children, genetic or biometric data
DPIA, if required, should address

  • Contemplated processing and purposes
  • Necessity and proportionality of the processing in relation to the purposes
  • Risks to the rights and freedoms of data subjects
  • Safeguards and security measures to address the risks
If DPIA indicates that processing would result in high risk, then consult DPA prior to processing
Data subjects must be informed about:

  • Identity and contact information for controller and DPO
  • Purposes of the processing and legal basis
  • Recipients/ categories of recipients of personal data
  • Period for which personal data will be stored
  • Right to request access to and correction or erasure of personal data or to restrict processing
  • Right to withdraw consent at any time
  • Right to file complaint with supervisory authority
Review privacy policies and update as necessary
Establish system for documenting processing operations
Amendments to third-party contracts to ensure compliance with GDPR and e-Privacy Directive (and eventually e-Privacy Regulation)
Data Storage
Determine where and how data is stored
Establish limits for erasure of data and periodic reviews
Review data retention policies to ensure data only kept for as long as necessary
Establish and/or review processes for rectifying or deleting inaccurate data
Prepare template responses for data access requests
Data Transfers to Other Countries
Review and analyze global data flows
Assess validity of current mechanisms for transfers of personal data from the EU to the U.S. or other countries, for example:

  • Adequacy determination
  • Binding corporate rules
  • Standard contractual clauses
  • EU–U.S. Privacy Shield
  • Codes of conduct
  • Certification mechanisms
  • Explicit, informed consent in limited circumstances
Assess feasibility/benefits of approved codes of conduct and certification mechanisms
Assess need for controller-controller and/or controller-processor agreements; review content for compliance with new requirements
Data Security
Review technical and organizational measures in place to prevent unlawful destruction, loss, alteration, disclosure of/ access to personal data

  • Pseudonymization and encryption
  • Ability to ensure ongoing confidentiality integrity, availability, and resilience of processing systems and services
  • Ability to restore availability and access to data in timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing and evaluating the effectiveness of the security measures in place
Ensure that processors are employing adequate technical and organizational measures; address in contracts
Establish and/or update data breach response plan

For more information on the GDPR or other privacy or data security matters, and how they affect businesses involved in e-liquid and vapor products, please contact Tracy Marshall (+1 202.434.4234, marshall@khlaw.com), Azim Chowdhury (+1 202.434.4230, chowdhury@khlaw.com), or Nathan A. Cardon (+1 202.434.4254, cardon@khlaw.com).

Photo of Azim Chowdhury

This interview originally appeared here: https://www.cyclopsvapor.com/blog/qa-with-azim-chowdhury-pRight to be Smoke-Free artnerfda-group-tobacco-evapor-food-packaging-at-keller-and-heckman-llp/

Azim Chowdhury is nationally recognized as an expert on FDA issues as they relate to the tobacco and e-vapor industries. He represents tobacco, e-cigarette and e-liquid manufacturers, suppliers and trade associations in matters of FDA regulatory and corporate compliance, and spearheaded Keller and Heckman’s FDA tobacco and e-cigarette practice group. Keller and Heckman LLP, founded in 1962, has a broad practice in regulatory law and related litigation and business transactions. Keller and Heckman’s comprehensive and extensive experience dealing with the regulation of food, drugs, medical devices and dietary supplements before the FDA uniquely positions the firm to guide tobacco, e-cigarette and e-liquid companies through the myriad of statutory and regulatory requirements that will soon be applicable to these products.

In the anticipation of Keller and Heckman’s *2018 E-Vapor and Tobacco Law Symposium, spoke with Chowdhury about what to expect at the second annual event.

For our readers who don’t know, can you talk a little bit about how you got into vaping law/education as a specialty?

The first time I came across a vapor product was back in 2009. While shopping at the mall, I came across a kiosk selling Smoking Everywhere cigalikes. I had been practicing law for a few years at that point and was focusing on medical devices and FDA regulations. I was immediately intrigued by the so-called “electronic cigarettes,” and started researching. When and how FDA was going to regulate vapor products was very much uncertain — the Tobacco Control Act had just become law, giving FDA the authority to regulate tobacco products, but the agency had already come out against e-cigarettes (the first time) arguing that they were unauthorized drug delivery devices. I wrote one of the first law articles on what FDA might do and how it would impact the burgeoning vapor industry for the Food and Drug Law Institute’s Update magazine (which you can findhere). I continued to write articles following the Sottera lawsuit, began speaking at conferences and attending vape expos, edited a couple of books, and quickly came to be recognized as a legal expert on vapor products.

In March 2010, I joined Keller and Heckman, a firm best known for its nationally-ranked FDA practice that includes lawyers as well as scientists, and spearheaded the E-Vapor Law Practice here. Now, we represent dozens of vapor businesses in the U.S. and around the world, including trade associations, manufacturers, suppliers, distributors and retailers in matters of federal, state and global regulatory compliance, as well as litigation, business and intellectual property issues.

This year is the second E-Vapor and Tobacco Law Symposium. Can you talk about how this year’s agenda came into play and how it changed from last year’s?

Last year we launched the inaugural E-Vapor and Tobacco Law Symposium from our offices in Washington, D.C. It was an experiment to see how this industry, which is mostly used to vape expos, trade shows and advocacy events, would react to a legal training seminar. Keller and Heckman’s well-established food, packaging and environmental practices have a long history of hosting these types of seminars, so this is right up our alley. Because the Deeming Rule had just become effective, we knew it was the right time to bring this type of event to the vapor industry to help companies understand how to stay in compliance.

With the success of last year’s Symposium, we decided to take the event “on the road” to Irvine, Calif., to reach a broader audience and make it easier for businesses on the West Coast to attend. With all the changes with the new administration, a new FDA commissioner and new policies that seem to indicate a shift in the agency’s view of these products (we hope), we are covering a lot more material at this year’s event. In addition to our Keller and Heckman experts, we are particularly excited for our guest speakers, several coming from overseas, who will be presenting on topics including good manufacturing practices, state laws, EU and UK laws, and vapor device standards.

Stepping further into that, what are some of the biggest challenges that vapers and business owners need to be aware of this year?

Companies must understand that even though the deadline for premarket applications for products on the market today has been delayed until 2022, the Deeming Rule is still in effect, and there are several fast-approaching deadlines for requirements such as ingredient reporting and HPHC testing that companies need to comply with in the meantime. We are expecting FDA to ramp up enforcement and inspections of facilities, so being prepared for that is critical. We will also be addressing the elephant in the room — Premarket Tobacco Product Applications (PMTAs) — and how companies might be able to work together to save money and submit applications to FDA.

Beyond FDA, more states are passing legislation impacting this industry, including new taxes and licensing requirements. Much of this will be covered at the Symposium. We are also seeing more companies get notices from state environmental regulators regarding how they are storing and disposing of nicotine and other hazardous chemicals. We think that is going to be a big issue in 2018 and moving forward.

Finally, if you’re looking to expand your business beyond the U.S. to the EU or Asia, we are going to have a lot of great presentations on how to do that.

Have there been any wins within the law that you’ve seen for our industry?

There have been a lot of victories at the state level by advocacy organizations such as SFATA, VTA and the Smoke-Free Associations fighting for vaper’s rights. We also had a huge victory last year on behalf of the Right to be Smoke-Free Coalition in Indiana, where we got the Seventh Circuit Court of Appeals to strike down the unconstitutional parts of Indiana’s e-liquid law (seehere). The industry should also consider FDA’s extension of the PMTA deadline as a victory that resulted from everyone’s lobbying efforts, as well as the threat from the lawsuits.

One topic we will be discussing at the Symposium is the appeal of the Nicopure and Right to be Smoke-Free challenge to the Deeming Rule, and how companies can still help with that effort.

The symposium schedule is jam packed and really looks like a must-attend event. Can you talk further about the importance of this two-day event?

I do believe this is a must-attend event for businesses who truly are interested in complying with the law and staying around for the long-term. This will also be a great opportunity to network with Keller and Heckman attorneys and other experts, as well as with other businesses. So far, we have over 100 registered attendees that include some of the biggest names in the industry, but also a lot of smaller companies who are looking to do things the right way.

*Seating is limited, but it is still not too late to register! Keller and Heckman is also exploring options for next year’s Symposium, and may take it to the Midwest or back to the East Coast.

Photo of Azim ChowdhuryPhoto of JC Walker

Beyond the Food and Drug Administration (FDA) and Tobacco Control Act requirements that now apply to deemed tobacco products, manufacturers and retailers of vapor products, and particularly e-liquids, also face stringent environmental and waste management regulations and compliance issues that are significantly more complex than those faced by cigarette and traditional tobacco product companies. This dichotomy arises because regulations promulgated pursuant to the federal Resource Conservation and Recovery Act (RCRA) treat nicotine in tobacco-based products differently than when found in e-cigarettes and other vaping products.

Compliance with the waste management regulations can be confusing because their scope and extent will vary by the amount of waste nicotine produced at a manufacturing facility or the amount of nicotine-containing products collected for disposal by a retailer. Further complicating the issue, even if exempted from the RCRA regulations, certain nicotine-containing products may be subject to state regulation of nicotine as a dangerous or industrial waste. Although there have been few enforcement actions brought against vapor or e-liquid manufacturers or retailers, regulators have noted the industry’s growth and potential for noncompliance. Going forward, we expect regulators to focus less on educating the industry about waste management obligations and follow a more active enforcement approach.

RCRA Overview

The federal RCRA regulations and state analogues establish a comprehensive system for managing hazardous waste from “cradle to grave,” that is from the point the waste is generated until its ultimate disposal. Broadly speaking, the regulations prescribe how to determine if and when a material is regulated as a hazardous waste, and how to manage the waste once the determination is made. Critically, RCRA only applies when the material becomes solid waste, meaning that it has been discarded by being abandoned, recycled, or treated as “inherently-waste like,” or the decision to discard has been made.[1]

Having decided to discard a material, the waste generator must next determine whether the waste is hazardous. This is done in one of two ways: (1) does the waste contain materials that EPA has listed in one of the three hazardous waste lists codified at 40 C.F.R. Part 261, subpart D; or (2) does the waste exhibit one or more of four characteristics: ignitability, corrosivity, reactivity, or toxicity?[2] With regards to e-liquids and other nicotine-bearing products, certain unused chemicals are listed hazardous wastes when discarded.[3] The hazardous waste listing applies when the following three criteria have been met. First, the chemical must be listed at 40 C.F.R. § 261.33(e) or (f). Nicotine and its salts are listed at 40 C.F.R. § 261.33(e) as an acute hazardous waste with the P075 waste code. Second, the listing applies “if and when they are discarded or intended to be discarded” prior to use.[4] Given its intended function, nicotine in e-cigarettes is not used until it has been inhaled by the end user.

Third, the listed chemical must be discarded in the form of a “commercial chemical product or manufacturing chemical intermediate having the generic name of the listed chemical” (CCP). The term CCP refers to a chemical substance which is manufactured or formulated for commercial or manufacturing use and which consists of the commercially pure grade of the chemical, any technical grades of the chemical that are produced or marketed, all formulations in which the chemical is the sole active ingredient, and any off-specification forms of the foregoing chemicals.[5] Products with more than one active ingredient are not regulated as CCP, although they may still be regulated hazardous wastes if they exhibit one of the hazardous characteristics.

According to the U.S. Environmental Protection Agency (EPA), nicotine is the “sole active ingredient” in e-cigarettes because it is the “only chemically active component that performs the function of the product.[6] Flavorings, sweeteners, colorants and other components are considered inert ingredients. Consequently, raw material (i.e., nicotine), off-spec e-liquids, container residues, and spill residues are hazardous wastes when they are discarded or intended to be discarded from businesses. In addition, EPA has stated that because certain e-cigarettes contain cartridges that are containers of a CCP, they too must be treated as hazardous waste when disposed.[7] This also applies to tanks and pods used in open-systems and advanced vaporizers to hold the nicotine-containing e-liquid.

RCRA Requirements Depend on Quantity

Hazardous waste compliance requirements vary significantly under RCRA depending on the amount of hazardous waste a facility generates each month. Thus, the generator category of a company and commensurate requirements, including storage and accumulation, recordkeeping and reporting, and training requirements could change from month to month.[8] Keeping up with these changes and ensuring a facility complies can be particularly burdensome for small businesses, such as those that constitute a large portion of the vapor industry.

Nicotine’s status as an acute hazardous waste is likely the primary driver for determining the “generator” category for an e-liquid or vapor product manufacturer. Businesses that generate acute hazardous waste (“generators”) are categorized as very small quantity generators (VSQGs) when generating up to 2.2 pounds (1 kilogram) per month, and large quantity generators (LQGs) when generating more than 2.2 pounds per month.[9] Regulatory requirements are significantly greater for LQGs, as is clear from a guidance chart developed by EPA.[10] Thus, e-liquid manufacturers have a strong incentive to operate as VSQGs or small quantity generators (SQGs).

When a generator has multiple hazardous waste streams, the generator must quantify each waste stream separately and abide by the more stringent generator category.[11] An e-liquid manufacturer will be classified as an SQG if the manufacturer does not exceed the 2.2 pound per month threshold for acute hazardous waste but generates greater than 100 pounds of non-acute hazardous waste per month.[12] For example, a generator of up to 2.2 pounds of acute hazardous waste that crossed the 220 pound threshold for non-acute hazardous waste may need to comply with SQG requirements, as opposed to VSQG requirements.

Fortunately, a generator has some options for managing hazardous wastes: recycling, treatment, storage, or disposal. Each approach has its own implications and requirements under RCRA. Recycling (e.g., nicotine reclamation) is a management method that can have a meaningful impact on the standards applicable to hazardous waste generators. Provided that the company can demonstrate the recycling is legitimate, the reclaimed nicotine will not be considered solid waste.[13] Recycling is a particularly appealing option as it can reduce the amount of material counted as hazardous waste for purposes of determining the generator category.

E-liquids May Be an Increasing Focus for Enforcement

Compliance with RCRA requirements by vapor product and e-liquid manufacturers is an increasing area of emphasis for both the states and EPA. Thus far, states have focused on outreach to the industry regarding compliance measures.[14] Such outreach typically lasts from six months to a year to provide a chance for the industry to come into compliance before the agencies transition to enforcement. Given that the e-cigarette and vaping industries have been growing for several years, and that the past two years have seen an increase in state proposals and communications concerning this issue, industry members need to consider whether regulators will pursue a more aggressive enforcement agenda in the new year and going forward. Accordingly, e-cigarette and e-liquid manufacturers should evaluate their processes and potential impact on generator status to determine whether their facilities are complying with RCRA or state analogues.

To learn more about the environmental and hazardous waste management regulations that apply to your e-liquid or vapor business, be sure to attend our upcoming E-Vapor and Tobacco Law Symposium on February 6-7, 2018 in Irvine, California. Click here to register and for more information.

For more information on our Tobacco and E-Vapor Practice, visit www.khlaw.com/evapor. For more information on our Environmental Practice, visit www.khlaw.com/Environmental. Follow Keller and Heckman Tobacco and E-Vapor Partner Azim Chowdhury on Twitter.

____________________________________________________________________

[1] 40 C.F.R. §§ 261.2(a), 261.33.
[2] 40 C.F.R. §§ 261.20-261.24.
[3] See 40 C.F.R. § 261.33.
[4] 40 C.F.R. § 261.33. See also EPA Letter to Merck Sharp & Dohme, FaxBack #11012, May 13, 1981.
[5] 40 C.F.R. § 261.33(b)
[6] Letter from Barnes Johnson, EPA, to Daniel K. DeWitt, Warner, Norcross & Judd LLP (May 8, 2015), RCRA Online #14850.
[7] Id.
[8] Recent revisions to the regulations do provide some relief to companies that consistently qualify under one category but experience an episodic event that shifts them to a more burdensome one. The rules generally limit the facility to one episodic event, however. See Hazardous Waste Generator Improvements Rule, 81 Fed. Reg. 85,732 (November 28, 2016).
[9] 40 C.F.R. § 262.13.
[10] U.S. EPA, “Hazardous Waste Generator Regulatory Summary,” available at:https://www.epa.gov/hwgenerators/hazardous-waste-generator-regulatory-summary.
[11] 40 C.F.R. § 262.13.
[12] See 40 C.F.R. § 262.13.
[13] Four factors are used to determine whether recycling is “legitimate.” 40 C.F.R. § 260.43(g). First, recycling must involve a hazardous secondary material that provides a useful contribution to the recycling process or to a product or intermediate of the recycling process. For example, the nicotine-containing materials may be the source of a valuable constituent (i.e., nicotine) recovered in the recycling process. Second, the recycling process must produce a valuable product or intermediate, which can be demonstrated by sale of the recycled product to a third party, by its use as an effective substitute for a commercial product, or by its use as ingredient in a process. Third, the generator and the recycler must manage the hazardous secondary material as a valuable commodity when it is under their control. This would entail management of nicotine-containing materials consistent with how raw nicotine is managed. Fourth, the product of the recycling process must be comparable to a legitimate product or intermediate. For example, the recycled product should meet widely recognized specifications for the raw material and not contain hazardous constituents in greater levels than a non-recycled analogue. See Letter from Barnes Johnson, EPA, to Scott DeMuth, g2revolution LLP (May 8, 2015), RCRA Online #14851.
[14] See, e.g., New Jersey Department of Environmental Protection, “Compliance Advisory Update – Compliance Assistance Available for Vape Shops and Manufacturers” (June 20, 2017), available at: http://www.nj.gov/dep/enforcement/advisories/2017-03.pdf.

Photo of Azim Chowdhury

Azim Chowdhury authored a chapter in “Dual Markets – Comparative Approaches to Regulation.” The book, first published on November 14, 2017, analyzes dual markets for regulated substances and services and aims to provide a framework for effective regulation. A “dual market” refers to the existence of both a legal and an illegal market for a regulated product.The volume focuses on nine types of markets and examines the relationship between regulation, the emerging illegal market, and the resulting overall access to each product or service. Azim’s chapter, “Regulation of E-Cigarettes in the United States” focuses on the FDA regulation of e-cigarettes under the Deeming Rule, including the current pre-market authorization requirements that could result in an effective ban on e-cigarettes in the United States. For more information, or to purchase the book, click here.

Photo of Azim ChowdhuryPhoto of Tracy MarshallPhoto of Robert Niemann

As the e-vapor industry evolves, manufacturers must keep up with an expanding legal and regulatory landscape. In addition to designing their products and services to comply, it is important for e-vapor companies to carefully assess their business practices and relationships with employees and business partners so as to best protect their confidential information and intellectual property, minimize their liability when relying on third party vendors, distributors and independent contractors, and ensure that they comply with applicable laws when advertising, marketing, and selling their products and services to consumers. This checklist highlights ten business, advertising, and intellectual property considerations for e-vapor companies doing business in the United States. Other countries may have different (and in some cases more stringent) requirements, so companies should understand their obligations wherever they conduct business. This checklist is provided for general information purposes. It is not intended to provide a comprehensive summary of applicable laws, and does not constitute legal advice. 

For more information, please contact:

Azim Chowdhury (+1 202.434.4230; chowdhury@khlaw.com)
Tracy P. Marshall (+1 202.434.4234; marshall@khlaw.com)
Robert S. Niemann (+1 415.948.2827; niemann@khlaw.com)

Printable Brochure