The Consumer Product Safety Improvement Act of 2008 became law in August 2008. The new act dramatically alters the original Consumer Product Safety Act, which was first enacted in 1972. The amended act greatly expands both the authority and the resources of the Consumer Product Safety Commission so that virtually all consumer products made in, sold in or imported into the United States are regulated by the amended act. The provisions of the amended act apply to foreign and domestic manufacturers, importers, distributors and retailers of 'consumer products'.(1) The amended act:
- significantly increases both civil and criminal penalties for violations;
- allows for the seizure and destruction of imported non-compliant products; and
- authorizes state attorneys general to file civil actions to stop the sale of products that violate the amended act.
Thus, the law places new and significant regulatory compliance burdens on all businesses involved with consumer products in the United States.
Assessing the risk of non-compliance with the requirements of the amended act and developing a comprehensive programme for compliance with the amended act are necessities for companies large and small. An effective compliance programme can protect businesses against risks arising out of the amended act's extensive regulatory regime. This update first discusses threats to companies doing business in the United States, and then presents a programme for risk assessment and compliance with the amended act.
Businesses that do not comply with the amended act's requirements are exposed to a number of significant risks.
The maximum penalty for individual violations of the amended act has been increased from $8,000 to $100,000. The ceiling on civil penalties for a related series of violations has also been increased from $1.825 million to $15 million.(2)
Directors, officers and agents of businesses dealing in consumer goods face personal criminal prosecution for knowing and wilful violations of the amended act.
Criminal penalties have been increased from a maximum of one year's imprisonment to five years' imprisonment. The elevation of criminal penalties from misdemeanours to felonies also makes it more likely that the Department of Justice will prosecute violations of the amended act.
The amended act no longer requires that directors, officers or agents have knowledge of a non-compliance notice sent by the commission to the business before such individuals may be subjected to criminal penalties. Under the original act, corporations and their individual directors and officers could be held criminally liable only if they had first received notice of a violation from the commission.
Failure to comply with the amended act may result in costly business interruption.
No business in the chain of distribution may legally sell or distribute in commerce a consumer product that is non-compliant. The commission can stop the distribution of non-compliant consumer products and, under appropriate circumstances, order the recall of a consumer product and the refund of its cost to consumers.
Imported products that fail to comply with the amended act must be destroyed at the border unless, by special application, the Treasury secretary permits export in lieu of destruction.
State attorneys general and whistleblowers
The state attorneys general in all 50 states are now authorized to initiate civil actions and seek injunctive relief against businesses that violate the amended act. Further, the amended act gives expanded whistleblower protection to employees who report employer violations. This is in keeping with numerous other federal statutes which protect whistleblowers from retaliation.
Compliance with consumer product safety laws is mandatory. The civil and criminal penalties set out above place a vast number of companies and individuals at risk if they violate the provisions of the amended act. In order to protect against these civil and criminal penalties, companies should institute a formal compliance programme, beginning with a company-wide risk assessment.
The purpose of a risk assessment is multifold:
- It identifies business operations and consumer products that are at risk of non-compliance with the provisions of the amended act;
- It evaluates the likelihood of specific violations and the harm that compliance violations would cause to the company; and
- It prioritizes risks in terms of severity and helps to focus the company's compliance efforts so as to protect against the most significant risks first.
When a company conducts a risk assessment, it should seriously consider doing so with the assistance of someone experienced in risk assessments, as well as carrying it out under the direction of a lawyer (in-house or outside counsel). This is particularly important during the initial risk assessment process. Current problems and past violations may be discovered and the company may need time and privacy to design and implement an appropriate response. This is best done with the protection of the attorney-client privilege and attorney work product doctrine. If the company determines that a violation has occurred, counsel can provide valuable assistance with the timing and circumstances of any disclosures.
An organized process is necessary for an effective risk assessment and compliance programme. A risk assessment programme typically involves three steps:
- information gathering;
- categorizing risk; and
- analysis, documentation and setting priorities.
The first steps in an effective risk assessment programme are the identification of the amended act requirements that affect the company and an assessment of existing company procedures for ensuring compliance with those requirements. Companies should begin by gathering the information necessary to understand the products and operations that expose the business to potential violations. This process is designed to achieve a thorough understanding of the company's products and to identify all risk areas. For the purposes of compliance with the amended act, this begins with the identification of all consumer products with which the business is involved. Once that is known, the company can identify and evaluate its existing procedures for compliance (if any).
There are typically three separate but overlapping aspects of information gathering:
- an initial consultation;
- collection and review of relevant company documentation and data; and
- interviews or surveys of appropriate personnel.
Information gathering should begin with a consultation between the personnel responsible for conducting the risk assessment and knowledgable individuals at the company. The designated company individuals should have (or should be able to arrange promptly) consultations with those who have a thorough knowledge of the company's products and operations.
For product manufacturers, this may include information from design engineers, operations managers, quality assurance managers, logistics supervisors and other individuals with knowledge of the product's design and manufacture. Importers and distributors should make available those individuals with upstream supply chain knowledge, as well as marketing and sales personnel. Retailers will need to make available individuals with similar knowledge of their products and operations.
The different kinds of company (ie, manufacturing, import, distribution and retail companies) each have varying kinds of regulatory risk exposure. The process for conducting the risk assessment should be designed with knowledge of the company's products and business operations.
Documentation and data collection
The second part of the process involves gathering and evaluating relevant documents and other data. The risk assessment should compile supporting materials organized by product and related regulatory requirements. In addition, the following should be compiled and organized for later product evaluation:
- existing product specifications;
- design documentation;
- materials performance testing;
- quality assurance documentation;
- customer complaints;
- product claims;
- marketing materials;
- existing compliance procedures and documentation; and
- other relevant documents.
In addition, public information about regulatory and enforcement agency actions relevant to the company's business should be identified. Knowing where the government is focusing its resources can help a company to prioritize compliance activities.
Interviews and surveys
Based on the first two steps, the third part of the information-gathering process involves interviewing or surveying relevant personnel regarding the critical areas of the company's structure and operations. These interviews and surveys are intended to clarify the company's business operations and how they intersect with regulatory requirements, and also to identify potential violations that may be taking place. They should include a candid assessment of the existence or effectiveness of the company's current compliance processes. Finally, they should inquire into the potential impact of compliance violations. In order to collect information consistently, a standard interview or survey form should be developed for use during this process.
When gathering information for use in assessing compliance risks under the amended act, several critical issues should be borne in mind:
- A company's obligations under the amended act are defined by its role in the chain of commerce. The amended act regulates foreign and domestic manufacturers, importers, private labellers, distributors and retailers. Its mandates differ depending on the company's place in the chain of commerce. For example, importers and domestic manufacturers must meet certification requirements that are not required of foreign manufacturers or retailers. Many, but not all, of the provisions of the amended act are role specific.
- The age of the product's user is a critical factor in the application of the amended act. Important and often burdensome provisions of the amended act apply to children's products, but not to versions of the same product intended for use by the general population. The amended act defines a 'children's product' as a consumer product designed or intended primarily for children aged 12 or younger. The commission uses multiple factors in deciding whether a product is a children's product.(3) However, it is often difficult to determine whether a particular consumer product will be regulated as a children's product. Thus, special care is needed to gather all relevant information that will determine whether a particular product is a children's product.
- The amended act's scope includes other acts that are also enforced by the commission. The amended act expands the commission's authority to include all bans, rules, standards and regulations under not only the Consumer Product Safety Act, but also the Federal Hazardous Substances Act, the Flammable Fabrics Act, the Poison Prevention Packaging Act, the Refrigerator Safety Act, the Children's Gasoline Burn Prevention Act and the Virginia Graeme Baker Pool and Spa Safety Act.
- The amended act mandates a general conformity certification for manufacturers, private labellers and importers of consumer products.(4) Each manufacturer, private labeller or importer of a consumer product covered by this section must certify that the product has been tested or is subject to a reasonable testing programme, and complies with all applicable consumer product safety rules.(5) There is a partial stay of enforcement for certain certification requirements until February 10 2010.
- Violations of the amended act fall into two broad categories: regulated product violations and product hazard defect cases. Information should be collected on potential violations in both categories.
Under the first category, consumer products must comply with various enumerated standards. These are specific to products or classes of product. For example, children's toys are subject to specific limits as to the levels of lead that are allowed in the lead paint on the toy or in the actual content of any part of the toy. Similarly, clothing is subject to specific regulations under the Flammable Fabrics Act.
The second category encompasses more generic defects. Products may violate the amended act if they contain a 'substantial product hazard' - that is, a product defect which, because of the defect's pattern, number or severity of risk, creates a substantial risk of injury to the public.
Evaluation of risk categories and level of risk
Using the gathered information, the next step is to evaluate the risks that a product may violate the amended act. In a risk assessment the risks of non-compliance should be categorized for individual products or groups of products. They should be ranked and categorized using designations such as 'high', 'moderate' or 'low', or a numerical designation such as one to five. The risk levels should include an evaluation of the likelihood of a violation of the amended act and an assessment of the level and type of damage a violation could cause.
Risk evaluation can be particularly difficult due to the complex and often confusing provisions of the amended act. The application and enforcement of the law have changed since its inception in several key areas as the commission has sought to interpret reasonably and enforce a law that is complex and often vague and confusing. Thus, companies and their counsel are forced to make judgements about how their products are regulated under a law that is anything but clear.
Companies should do the following when evaluating the risk of whether their regulated products may be in violation of the amended act:
- Identify what products are subject to amended act regulation - not all products are consumer products regulated under the jurisdiction of the commission.
- Identify what standards apply to each product - this is a difficult task that requires a complete understanding of both a company's product and the amended act itself.
- Identify applicable test methods - this will vary depending on the nature of the product involved. For example, children's products require independent third-party testing, which general use products do not. However, a testing programme for general use products must still be a reasonable testing programme, as defined by the commission.
- Review completed testing - information should be gathered on all applicable testing. This should include test methodologies, entities performing the tests, the date and location of tests and all actual test data, including results. The absence of any relevant test results must be carefully determined and cured as needed.
- Evaluate results - once the appropriate standards have been applied to the regulated products, and the testing completed and reviewed, a company will be able to determine the likelihood that a product meets amended act requirements. Compliance may be difficult to determine for certain products, either because it is unclear which category the products fall into (ie, children's products or general use products) or due to the product's use history. In certain situations, appropriate consultation with commission staff may be useful.
Products not subject to specific standards may still violate the amended act if they are defective and constitute a substantial product hazard. The company must evaluate:
- the nature of the possible product defect;
- any pattern in the product defect; and
- the number and severity of injuries or other incidents involving consumers.
At this point, the company must also evaluate the seriousness of the potential violations and harm to the company that may be caused by any potential violations. Based on the likelihood of violation and the potential harm caused, the particular risks can be ranked in appropriate categories which define the level of risk (ie, high, moderate or low).
Analysis, documentation and setting of priorities
The third step in the process is to prepare a written risk assessment based on the first two steps. This comprises two things: (i) a written analysis of identified risks, presented in a concise manner so as to provide clear guidance to the company in identifying risk profiles and in tailoring and prioritizing its compliance activities accordingly; and (ii) a chart of risk areas together with their level of risk and a brief explanation. The aim is to present the risk assessment as clearly as possible so that it can be easily used and efficiently referred to by the company's senior management and supervisory personnel.(6)
Finally, the risk assessment should make recommendations regarding the priorities for compliance programme activities in the coming year or quarter. High-priority risks concerning violations of the amended act should be addressed first, followed by moderate and low risks. Recommendations should state the actions that might be required. Depending on the nature and priority of the particular risk, a company may have to take action, including:
- further investigation and testing;
- modification of current procedures;
- training of employees;
- self-reporting a potential violation to the commission; or
- recalling a product.
As best practice, the risk assessments' recommendations should be presented to and ratified or approved by management, the board or both. However, in all circumstances the risk assessment should be in writing. Documentation of each step of the assessment process is key. The amount of documentation will depend on the size and complexity of the company and its business operations. The larger and more complex the company's operations, the greater the number of processes that must be documented. For smaller companies, the process can be much simpler. In any event, the risk assessment process is a crucial first step in the development of a compliance programme.
Due to the complexity of the amended act and the substantial increase in potential penalties, companies involved in any aspect of the consumer product business should have a comprehensive compliance and ethics programme that includes an emphasis on the amended act. The US Sentencing Commission has established criteria for evaluating the effectiveness of a compliance and ethics programme.(7) These standards are used by most federal enforcement agencies, including the Department of Justice, in assessing the programmes of companies which are investigated for regulatory violations. Among other things, an effective compliance and ethics programme can demonstrate a company's good-faith efforts to comply with a regulatory scheme, thus negating any criminal intent or disregard of compliance obligations. This can help to reduce or eliminate criminal, civil or administrative penalties under the amended act. In order to get this benefit, a compliance and ethics programme must be truly implemented and integrated into the company's business operations. It cannot be a 'paper' programme with written standards that are ignored or never implemented.
The Sentencing Commission has established two primary criteria for compliance and ethics programmes developed under the amended act: (i) they must exercise due diligence to prevent and detect improper conduct; and (ii) they must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. In turn, the exercise of due diligence requires that, at minimum, the programme include the following:
- written standards and procedures;
- involvement by the governing authority and high-level officials;
- employment and advancement practices that are consistent with the compliance and ethics programme, and that promote an organizational culture that encourages ethical conduct and compliance with the law;
- training and regular dissemination of information relevant to the compliance programme and its objectives;
- monitoring, auditing and periodic evaluation of programme effectiveness (this includes the option of reporting potential violations and asking questions through an anonymous or confidential hotline/helpline system);
- enforcement of the compliance and ethics programme throughout the organization, using incentives to encourage employees to perform in accordance with the programme and appropriate disciplinary measures for misconduct;
- implementation of appropriate remedial actions to respond to violations and prevent further improper conduct, including modifying the compliance and ethics programme; and
- periodic assessment of the risk of compliance and ethical violations, along with appropriate modification of the programme to address changing compliance risks effectively.
The Consumer Product Safety Improvement Act of 2008 introduced a broad new array of consumer product regulations. Companies that make, import, distribute, buy or sell consumer products must recognize the risks they face under this complex regulatory regime. Well-developed risk assessment and compliance and ethics programmes can help to ensure proper compliance with the new consumer product safety laws and protect businesses from potentially devastating penalties.
For further information on this topic please contact Charles E Joern, Jr at Holland & Knight LLP's Chicago office by telephone (+1 312 263 3600) or by fax (+1 312 578 6666) or by email ([email protected]). Alternatively, contact Christopher A Myers at Holland & Knight LLP's McLean office by telephone (+1 703 720 8600) or by fax (+1 703 720 8610) or by email ([email protected]).
(1) 'Consumer products' are defined in the amended act as any article or component part which is produced or distributed for sale to a consumer for use in or around a household, residence, school, place of recreation or otherwise. Consumer products do not include tobacco products, motor vehicles or motor vehicle equipment, pesticides, firearms and ammunition, aircraft, boats, drugs, medical devices, cosmetics or food (15 USC 2052).
(2) The increases in civil penalties are effective from the earlier of August 14 2009 or when the commission issues final regulations regarding its interpretation of the factors used in assessing civil penalties (2008 act, §217).
- the age of the consumer that the manufacturer intends the product to be used by;
- the age of the consumer the product is marketed to;
- the ordinary consumer's understanding of the product's intended age use; and
- the extensive Age Determination Guidelines used by the commission staff.
(6) A company's board of directors must also be provided with sufficient information to exercise reasonable oversight over and understand the company's compliance efforts. It is good practice to present risk assessment information to the board on a periodic basis so that the board can understand how and why management has established the compliance programme requirements it has.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription