Skip to main content

Section 6(b) Information Disclosure

Background: Section 6 restricts CPSC’s public disclosure of manufacturer and product specific information. On April 1, 2019, CPSC learned that such information had been released through the Information Clearinghouse to the public without following the procedures required by the law. Upon learning of this unauthorized disclosure, CPSC staff immediately halted the transmission of data from the Information Clearinghouse and required all such requests to be routed through the FOIA Office instead. This new process provides a two-step verification before publicly disclosing manufacturer and product specific information.

CPSC staff also evaluated whether other instances of unauthorized disclosure had occurred. Based on this review, CPSC staff determined that information on approximately 11,000 unique manufacturers had been improperly disclosed since 2017. CPSC staff immediately notified recipients and asked them to return or destroy of the information. Almost all of the recipients have agreed to destroy the information, with only a few not agreeing to comply and a few yet to respond.

CPSC considers unauthorized disclosure of information to be a serious issue. After notifying recipients on April 5 of the unauthorized disclosure, the agency developed a phased action plan intended to provide rapid notification to all affected manufacturers, and more detailed information for all manufacturers who seek it. A description of the Phases follows.

  • Phase One: Over the course of a two day period, from April 11-12, CPSC sent an initial communication to all identified manufacturers (approximately 11,000) to inform them that an unauthorized disclosure had occurred. This communication provided timely notification to affected manufacturers and allowed CPSC to confirm that the communication was sent to the appropriate entity by requesting that each manufacturer respond to a dedicated CPSC mailbox.
    • Status update: Approximately 11,000 manufacturers received this initial notification as of April 12.
  • Phase Two: Starting on April 15, CPSC began to provide additional information to manufacturers who responded to the initial communication of Phase One, prioritizing communications with those manufacturers whose information was provided to Consumer Reports (CR) given that CR received the largest tranche of information that has not been returned or destroyed. The Phase Two notification informed manufacturers that their information had been disclosed to CR and that the disclosure involved summaries of incident reports and In-Depth Investigations (IDIs). The notice indicated that their information had been disclosed to CR on December 11, 2017, August 10, 2018, or February 6, 2019 and informed the manufacturer that CR declined to return or destroy the information. Finally, because the CPSC had previously provided each manufacturer with the incident reports, investigations, or other documents involving its products, the Phase Two notice provided the manufacturer with document numbers so that the manufacturer could match those numbers with information previously communicated from CPSC.
    • Status update: 1,100 manufacturers who responded to CPSC’s Phase One notice have received Phase Two information as of May 15.
  • Phase Three: For manufacturers with additional questions after receiving the document numbers of the underlying documents, or who were unable to identify the underlying documents in their records, CPSC began Phase Three notifications on May 2. These notifications provide additional information in the form of a spreadsheet that contains all rows of data about a manufacturer that were sent to CR except for four discrete columns of information related to manufacturer name and model. Some incidents involved more than one product or manufacturer. Therefore, CPSC omitted this information to ensure no additional unauthorized disclosures would occur.
    • Status update: 320 manufacturers who requested additional information received Phase Three responses as of May 15.
  • Phases Four and Five: Beginning the week of May 6, CPSC staff initiated follow-up communications with manufacturers whose information was sent to recipients other than CR. These communications will replicate the process in Phases Two and Three and provide the same type of information CPSC provided in those phases. That is, CPSC will provide document numbers related to information CPSC previously provided as well as more detailed spreadsheet information to those who have additional questions.
    • Status update: 1060 manufacturers whose information was sent to recipients other than CR will receive Phase 4 details about unauthorized public disclosure of manufacturer and product specific information as of May 15.

Frequently Asked Questions

What should recipients of the unauthorized information do?

Recipients of this information are instructed to return the information to CPSC or destroy the information and certify its destruction. This information should not be published or further disseminated. Almost all of the recipients of the information have already agreed to return or certify destruction of the information. CPSC continues to contact the few recipients who have not yet agreed to return or destroy the information released without authorization.


What should manufacturers do if they were notified that some of their information was released?

Manufacturers notified by CPSC about the unauthorized disclosure of information should contact CPSC at if they want to receive additional information and updates.


The unauthorized disclosure of information affected how many manufacturers?

Approximately 11,000 manufacturers were contacted about the unauthorized disclosure of information.


What has CPSC done to avoid this in the future?

CPSC took immediate steps to address this issue going forward. Currently all incident report requests will now be routed through CPSC’s FOIA Office. This procedure includes a two-step verification.


Who did this and what is been done with that employee/s?

The Inspector General (IG) is examining the circumstances surrounding this unauthorized release of information. CPSC will take appropriate disciplinary action and other necessary actions if warranted once the IG completes an investigation and a report is available.


How can I be sure incident data I report to CPSC is not compromised going forward?

CPSC took immediate steps to address this issue going forward. Currently all incident report requests will now be routed through CPSC’s FOIA Office. This procedure includes a two-step verification.


Was Personally Identifiable Information (PII) also released in this unauthorized disclosure?

CPSC identified some instances of linkable PII included in this unauthorized disclosure of information. A multi-disciplinary team, using government guidelines, performed an assessment of this PII. Its assessment resulted in the determination that the PII involved presented a low risk of harm for potentially affected individuals.


Should I be concerned if I have not heard from CPSC?

CPSC reviewed the unauthorized disclosure of information and contacted affected manufacturers. If you are concerned you were not contacted, please email CPSC at so CPSC staff can follow up directly with you.


How will CPSC provide updates concerning this issue?

CPSC will periodically update the status of activities related to this unauthorized disclosure of information. If you have additional questions, please email CPSC at and we will address your inquiries as well as add additional questions and answers to this page as appropriate.

Report an unsafe product