Private Eyes: When is Company Information Shared with the CPSC Confidential?
Entities regulated by the U.S. Consumer Product Safety Commission (CPSC) should have greater confidence in sharing confidential business information with the agency following a U.S. Supreme Court decision earlier this year that addressed the U.S. Department of Agriculture’s duty to disclose information in response to a Freedom of Information Act (FOIA) request.
In Food Marketing Institute v. Argus Leader Media (FMI), the Court did not allow a third party to use the FOIA to obtain businesses’ confidential information from the USDA. There, a news organization had filed a FOIA request seeking to obtain grocery stores’ data on sales they made to participants in the Supplemental Nutrition Assistance Program (SNAP). Companies typically view sales data as confidential information, and the USDA too had previously taken the stance that sales information was confidential and exempt from disclosure under FOIA.
The FOIA exempts trade secrets and commercial or financial information from disclosure. 5 U.S.C. § 552(b)(4) (FOIA Exemption 4). Some circuit courts hold that this exemption applies only where businesses can demonstrate that they would likely suffer actual or even substantial harm if the information is disclosed. In FMI, the Court rejected this test and adopted a new, business-friendly test. It held that information is confidential and exempt under the FOIA according to three prongs:
the type of information is customarily treated as private
the information’s owner actually treats the information as private
the owner provides the information to the government “under an assurance of privacy”
This test could reshape how federal agencies – including the CPSC – handle confidential information.
The FMI FOIA Test and the CPSC
The CPSC is governed by the information-disclosure provisions of Section 6 of the Consumer Product Safety Act (CPSA). 15 U.S.C. § 2055. The most familiar provision – Section 6(b) – requires the CPSC to take certain procedural steps before it discloses information the agency is authorized to share.
Section 6(a) also provides that the agency is not authorized to share FOIA-confidential information. 15 U.S.C. § 2055(a)(2). Section 6(a) expressly incorporates the FOIA’s meaning of the word “confidential,” so the FMI Court’s test imports directly into the CPSA.
But is the type of information that companies submit to the CPSC likely to fit within the FMI test for Exemption 4 and therefore be protected from disclosure? The answer seems likely to be “yes.”
Prong 1: Customary Treatment of the Information
Companies regulated by the CPSC provide the agency with sales data, the information that was at issue in FMI, and they also frequently share highly confidential product design, manufacturing process, or self-critical analysis information. Even under the prior “substantial harm” tests, these categories of information had a fair chance of meeting the standard, as their disclosure could threaten competitive harm. With the new FMI test, companies should be able to satisfy this prong.
Prong 2: The Owner’s Treatment of the Information
FMI asked if the owner of the information actually treats the information as confidential. Of course, marking confidential information as “Confidential” – likely already standard practice for most – is a good first step. But courts may find that other behavior, like sharing information outside the company or even too broadly in-house, negates any markings, so companies should take care that they indeed handle confidential information as confidential.
In sharing with the CPSC, companies should use markings that expressly invoke the CPSA’s statutory assurances of privacy (discussed below). These markings should accompany every confidential communication, because a single assertion of confidentiality at the first communication may not always accompany the information as it makes its way through the agency.
Prong 3: Assurances of Privacy
In FMI, these assurances of privacy came from agency practice, with USDA assuring grocers that it would not disclose the SNAP data absent a court order. This prong should be even easier to satisfy when companies disclose information to the CPSC, because the CPSA itself provides assurances of privacy by establishing both pre-disclosure procedural requirements (Section 6(b)) and categories of information that cannot be disclosed at all (Section 6(a)). Through Section 6, Congress has assured companies regulated by the CPSC that the agency will not release their confidential information and that they will have a pre-disclosure opportunity to assert confidentiality.
Section 6(b)(1) allows companies to review any proposed CPSC disclosure that would identify a particular product or manufacturer, whether or not the information is marked confidential. This is an assurance that the CPSC will handle even potentially sensitive information sensitively. Companies should preemptively invoke this protection by expressly asking the CPSC to give them notice before disclosing information pursuant to Section 6(b)(1) when they share confidential information with the CPSC.
Section 6(b)(5) provides an even stronger assurance than the FMI decision by putting some of the most sensitive information companies provide in a separate lockbox. The agency “shall not disclose” information submitted pursuant to the CPSA’s hazard-reporting provision, Section 15(b), unless specific statutory exceptions apply. 15 U.S.C. § 2055(b)(5). The CPSC has interpreted this provision to cover information that companies mark as submitted pursuant to Section 15, as well as any staff-generated documents that contain Section 15 information. 16 C.F.R. § 1101.63.
And by requiring the CPSC to adopt the FOIA’s protection for confidential business information, Section 6(a) provides further assurance that the agency will respect confidentiality, particularly in light of FMI. These assurances should be available even where companies do not expressly preserve them, because the agency is bound even by laws companies do not invoke, but clearly asserting protection is always a good practice.
In sum, when companies disclose confidential information to the CPSC, they should plainly mark the information as confidential and request 6(b) process protections. Where applicable, they should also mark Section 15 information. These steps will provide the most complete protection available for the kinds of information that the CPSC relies on for its expert analysis but that companies are unwilling to share publicly.
 The Court suggested in dicta that it might not even find the “assurance of privacy” necessary, but, as USDA had expressly assured the grocers that it would keep their information confidential, the Court did not reach that issue.