Sunday, May 2, 2010

Protecting Children Online - Where we are and where we’re heading under the Children’s Online Privacy Protection Act (COPPA)

Background: The Children’s Online Privacy Protection Act of 1998 (COPPA) with its implementing regulations, the Children's Online Privacy Protection Rule (COPPA Rule) (in effect since April 21, 2000), have served as the primary law in the U.S. for protecting personal information about children online. It’s a gross understatement to state that the Internet is a different world than what it was when COPPA and the COPPA Rule were implemented. Suffice it to say that the world of social networks combined with mobile computing has, for better or for worse, become the fabric of our children’s world – and in 1998 social networks were not even in Congress’s imagination. The Federal Trade Commission (FTC), charged with enforcement of COPPA has scheduled a COPPA Rule Review Roundtable on June 2, 2010 and is collecting comments through June with the objective of seeing whether changes to the COPPA Rule should be considered. On April 29th, Senate Commerce Chairman John (Jay) Rockefeller, D-W.Va., said that Congress may also need to consider making changes to COPPA itself. So, it’s a good time to review what COPPA requires and what might be changed.

First – A Word of Caution: COPPA enforcement is alive and well. Late last year Iconix Brand Group, Inc. agreed to pay a $250,000 civil penalty to settle FTC charges that Iconix violated COPPA by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission. The FTC order also contains standard compliance, reporting, and record-keeping provisions to help ensure that Iconix abides by its terms. Often the internal costs of complying with FTC ordered monitoring and reporting obligations can exceed the amount of the fine. Nobody wants to be caught in the FTC’s cross hairs.

Summary of COPPA:

The COPPA Rule has broader coverage than commonly thought. It applies to: (1) websites directed to children under 13 that collect personal information from children; (2) general audience websites that knowingly collect personal information from children under 13; and (3) general audience websites that have a separate children’s area and that collect personal information from children. It is important to emphasize that COPPA only applies to children under 13. No protection is extended to children 13 and above. Whether this age cut off leaves many vulnerable children still vulnerable can be debated, but does not seem to be seriously on the table for reconsideration.

Covered websites are required to: (1) post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected; (2) provide notice to parents about the website’s information collection practices and, with some exceptions, get verifiable parental consent before collecting personal information from children; (3) give parents the choice to consent to the collection and use of a child’s personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties; (4) provide parents with access to their child’s information, and the opportunity to delete the information and opt out of the future collection or use of the information; (5) not condition a child’s participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity; and (6) maintain the confidentiality, security and integrity of the personal information collected from children.

The most challenging parts of the COPPA Rule to comply with are the requirement to get parental consent before collecting a children’s information and the procedures for allowing a parent to review the child’s personal information, have it deleted, and refuse to allow the further collection or use of the child’s information. Privacy policies and the entire operation of covered websites must be carefully reviewed for compliance with the COPPA Rule.

For instance, how is parental consent verified? Under a 2005 Amendment to the COPPA Rule, a sliding scale mechanism was confirmed so that lower risk usage of information is subject to a lower level verification process and higher risk usage is subject to a higher level of verification. If a website collects information for its own internal use (i.e., lower risk level), then an email message to the parent, combined with additional verification steps (such as sending a delayed confirmatory email message to the parent after the original consent is received, or confirming consent via the telephone or standard mail) will be sufficient. However, where information will be disclosed to the public or to a third party (i.e., higher risk level), then higher levels of initial verification are required, such as confirmation via a signed consent form returned to the website operator, requiring the parent to use a credit card during the confirmation process, requiring the parent to call a toll-free number, among other methods listed in the Amendment.

The COPPA Rule also provides that a website’s compliance with FTC-approved self-regulatory guidelines serves as a safe harbor in any enforcement action for violations of the COPPA Rule. Several organizations have been approved by the FTC for verifying compliance to qualify for the safe harbor.

What Changes Will Likely Be Considered?: The primary issues that will be considered will involve the impact of social networks, mobile computing, interactive television and interactive gaming on the collection of personal information from children. Additionally, the “below 13” threshold might also be reconsidered in light of state law changes (like in Maine – which however subsequently repealed their new privacy law).

The whole process for verifying age is also one that might be considered. Today the primary method is by asking the user to put in a birth date. However, it does not take much sophistication for a child to realize the purpose of this data field and insert a date indicating that they are at least 13. For instance, Facebook does not allow members less than 13 years of age. However, don’t most kids know this and know how to get around it? Facebook’s Director of Public Policy, Tim Sparapani acknowledges that it is currently impossible to verify someone’s age online, but claims that Facebook has safeguards in place aimed to block children under 13 from joining. He also does not believe that Congress should get involved by amending COPPA – because this would “discourage innovative ideas aimed at enhancing teen and children safety” and might actually “undue many of our innovative privacy and safety tools.” Hmmm – probably not a disinterested perspective I would say!

Other items that might be considered:

  • Use of automated systems that filter out personally identifiable information prior to posting for children’s website submissions.
  • Whether the COPPA Rule’s definition of “personal information” should be expanded to include items such as persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising.
  • Whether the COPPA Rule’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way.

Bottomline: Websites that are subject to COPPA should be thoroughly reviewed prior to launch. Additionally, since changes to these websites may occur frequently, periodic reviews should be performed as well to verify ongoing compliance.

Monday, November 16, 2009

The truth, the whole truth and nothing but the truth: The new FTC guidance on endorsements

Summary: The Federal Trade Commission (FTC) has issued revised Guides Concerning the Use of Endorsements and Testimonials in Advertising (Guides) which will take effect on December 1, 2009. The main purposes of the revisions are (1) to update the application of the Guides to new media and (2) to rescind a safe harbor that previously allowed ads stating positive results experienced by consumers, even though such results could not necessarily be expected by the average consumer, provided the statement “Results not typical" was included in the ad. Now the actual typical results need to be stated in the ad.

While the Guides only represent the FTC's interpretation of the law and are not binding, the Guides are not difficult to comply with – and I guaranty that you don’t want to be on the receiving end of an FTC action.

Purpose: The primary purpose of the Guides is to require disclosure when an person giving an endorsement for a product or service is in some manner being compensated by the advertiser for the endorsement. In other words, it is deceptive for a paid endorsement to appear as if it is an independent and objective opinion. For example, if a mother-consumer is paid $1,000 for saying that she prefers a certain diaper, the viewing public needs to know this fact.

New Media Changes the Game: Since 1980, when the FTC first issued the Guides, communication broadcasting has, of course, dramatically changed with the advent of the Internet. Now, everyone can broadcast their opinion to the world through personal websites, blogs, discussion forums, social networks, and by means not yet contemplated (until announced in the next month or so). These various Internet communication forms shall be referred to in this article as “New Media Forms.” The Guides have been revised to address New Media Forms, because the there are now many types of communications that are really ads, but don’t necessarily appear to be ads.

Endorsements: Since the Guides deal with endorsements, the first step is to determine whether an opinion or review is an endorsement. According to the Guides, “an endorsement is any advertising message (including verbal statements, demonstrations, or depictions of the name, signature, likeness or other identifying personal characteristics of an individual or the name or seal of an organization) that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser.” Following are some examples in the Guides which will clarify this issue. (I have modified these examples somewhat and added my own commentary for clarification):

Example: A tennis star writes on her Facebook page about laser surgery she received from XYZ clinic. She states that the surgery helped her game, and she is compensated by XYZ clinic for making such statements. This needs to be disclosed, because in the context of a Facebook page, the public will not assume that this is a paid endorsement.

Example: A college student has a popular blog where he reviews video games. A video game manufacturer provides him with a free game system to review. He needs to disclose that the game system was provided to him for free, because this is the type of compensation that could influence his review. On the other hand, David Pogue who reviews technology gadgets for The New York Times would not have to reveal that he receives products for free (if in fact this is the case), because the public would assume that this is the case in the context of being an employee of the newspaper.

Example: A woman who has a personal blog receives a free sample of dog food in the mail because the local store recognizes that she regularly shops there. When she reviews this dog food on her blog she does not have to disclose that she received the food for free, because the store did not send it to her for this purpose and there is no expectation on her part to receive continued free samples.

Example: In a discussion forum on music download technology, one of the participants is an employee of a company that has such products and the employee has been promoting these products in the forum. The employee would need to disclose this fact, otherwise his posts would be deceptive, because they would appear to be independent objective opinions.

Veracity of Endorsements: Believe it or not – the opinion stated in an endorsement has to be true in all respects. It must reflect the honest opinions, findings, beliefs, or experience of the endorser. Furthermore, the endorsement of an expert or celebrity may be used only so long as the advertiser has good reason to believe that the endorser continues to maintain the view presented. Therefore, there must be some periodic effort by the advertiser to verify that the endorser’s views have not changed. When you hear on the radio or see an ad where a celebrity claims to use a particular product. Have you ever wondered whether she or he really does? Well, the Guides say that they must actually use the product at the time of the endorsement and the endorsement can continue to run only as long as the advertiser does not have any reason to question whether the product is still being used. In the online environment, when endorsements are being made in multiple venues, and are often being made independent of ongoing advertiser supervision, and may be transmitted and archived on sites for long periods, the advertiser must implement some system to verify that the endorsement is still valid.

Advertiser Responsibility. It’s important to note that advertisers are responsible (read: liable) for false or unsubstantiated statements made through endorsements – even if these statements were not advised or encouraged by the advertiser. For example, a skin care manufacturer, through its marketing agent, distributes free samples to bloggers known to review such products. A blogger makes a claim (e.g., the product cures eczema) that the advertiser does not make about the product. If this claim is not true, then the advertiser, as well as the blogger, would be responsible for this false claim.

Important: According to the Guides, the advertiser must actually ensure that its bloggers and other New Media Form hosts are notified and trained so as to be able to comply with the truthfulness, substantiation and disclosure requirements set forth in the Guides. If the advertiser identifies violations in the endorsements, the advertiser must take action to correct the violations. This is a fairly high standard of responsibility placed on advertisers.

Goodbye to “Typical Results” Safe Harbor: If the advertiser does not have substantiation that the endorser’s experience is representative of what consumers will generally achieve, the ad must now clearly and conspicuously disclose the generally expected performance in the depicted circumstances, and the advertiser must possess and rely on adequate substantiation for that representation. Stating that “Results are not typical” will no longer protect the advertiser from FTC claims of false or deceptive advertising. Nonetheless, the FTC has not ruled out the possibility that a strong disclaimer of typicality could be effective in the context of a particular ad. Although the FTC would have the burden of proof in a law enforcement action, the FTC notes that an advertiser possessing reliable empirical testing demonstrating that the net impression of its ad with such a disclaimer is non-deceptive will avoid the risk of the initiation of such an action in the first instance.


  1. Endorsements appearing in New Media Forms require disclosure of compensation or other benefits received or expected to be received from the advertiser. Compensation does not have to be money, and can be any benefit that would be reasonably expected to influence the opinion or product/service review.
  1. Advertisers are required to notify New Media Form endorsers of their obligations regarding disclosures as to compensation and truthfulness in the endorsement content. Advertisers must also monitor the New Media Forms for compliance and take action if there is non-compliance. Therefore, advertisers should have written procedures in place that are followed when utilizing endorsements through New Media Forms. The existence of and compliance with these procedures will be important if ever defending against an FTC action.
  1. The FTC claims that it did not issue the revised Guides with the objective of suing bloggers. However, the FTC did not say that it would not sue bloggers. Therefore, compliance by bloggers with these Guides is the best advice.
  1. Consumer claims of results from use of products or services must be those that can be expected by the average consumer of the product or service, otherwise the result that can be commonly expected must be disclosed. Saying “Results are not typical” will no longer protect an advertiser from claims of deceptive advertising.

Wednesday, July 8, 2009

PCI Compliance: Why websites and hosting service providers cannot afford to ignore it

PCI – What is it?: We can only begin to imagine the losses, liability and other consequences resulting from unauthorized access to credit card information, which, unfortunately, happens all the time. To attempt to deal with this problem, the credit card industry developed the Payment Card Industry (PCI) Data Security Standard (DSS) or PCI DSS to ensure that companies that process, store or transmit credit card information maintain a secure environment. Compliance with these standards is required of all merchants authorized to accept credit card payments. In 2006, the major credit card companies (Visa, MasterCard, American Express, Discover and JCB) created the payment Card Industry Security Standards Council (PCI SSC) to manage the ongoing development of the PCI DSS. However, the credit card companies and not the PCI SSC, are responsible for enforcing compliance. For those interested and brave enough, a copy of the PCI DSS can be found here. It is important to note that PCI compliance, for the most part (more on that later), is not law.

Scope of Obligation: Using a third party to process, store or transmit credit card information does not remove a merchant’s obligation to comply with PCI DSS for these functions. Therefore, the merchant is responsible to see to it that the third party providing these functions is compliant, or face the consquences. Section 12.8.2 of PCI DSS requires a merchant to “[m]aintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Merchant’s can’t assume that third party vendors are PCI compliant. Also, don’t assume that if your site has SSL certificates that you are compliant with PCI DSS. Remember, all service providers that touch, manage and/or store a merchant’s credit card information are the direct responsibility of the merchant.

The Consequences Of Non-Compliance: If a merchant is non-compliant and there is a breach of its (or of its third party vendor’s) system, then the merchant bank will do any or all of the following: (1) terminate or suspend the ability of the merchant to accept credit payments until compliance is achieved (which could result in potentially devastating losses of income for an online business), (2) charge the merchant for the cost of reissuing credit cards and other incidental expenses (also a large out of pocket expense), (3) require the payment of an escrow to insure against claims based upon fraudulent use of the breached credit card information, and (4) impose fines.

Becoming Law?: As an aside, I mentioned above that PCI compliance is not law. While that is generally true, both Nevada and Minnesota have incorporated PCI DSS into their personal information security laws. Accordingly, if doing business in either of these states, a business collecting credit card information is required by state law to be PCI compliant.

What Should a Merchant Do?: The bottom line is that merchants cannot shift the primary obligation of PCI compliance to service providers. Credit card companies will always hold the merchant primarily responsible for compliance and any breaches. However, the merchant has the ability to mitigate its risks. The two ways available to mitigate the risk are insurance and contractual provisions in the service provider agreements. For insurance, contact your agent. However, below are suggestions for how to place responsibility and liability for compliance on the service providers. Of course, these suggestions should be drafted, negotiated and implemented by an attorney experienced in this area of law.

  • Review merchant bank and card processing agreements in order to identify the merchant’s compliance requirements.
  • Assess risk posed by service provider by evaluating (1) transaction volume, (2) whether the service provider’s system been independently assessed for security, and (3) whether the service provider has an incident response plan in place to mitigate harm to merchant from a security breach.
  • Negotiate provisions in provider agreement that obligate the service provider to conform to the merchant’s compliance requirements, and to maintain other risk mitigation procedures and policies (which can include reporting, audits and assessments).
  • Assess and negotiate remedies for non-compliance, such as indemnification, penalties, and termination.
  • Require service providers to maintain adequate insurance and list merchant as an additional insured.
  • Note: If possible, many of these requirements are best raised at the time of an RFP – otherwise, if a merchant waits until contract negotiations, it will be at a disadvantage.

Friday, June 12, 2009

Behavioral Tracking: Anonymous and harmless - or insidiously intrusive? And…Google leads the pack

On February 12, 2009, the Federal Trade Commission (FTC) issued: FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising. This document contains guidelines for self-regulation, and, there are indications that if the guidelines are not followed by successful self-regulation, then the FTC will impose binding regulations. Something that most industries don’t wish to see.

Background: Last March, the Interactive Advertising Bureau (IAB) announced that revenue from advertising on the Internet in 2008 surpassed $23 billion in the U.S. It is this ad revenue that in large part allows for the almost universal offering of free content. Therefore, continued strong and increasing revenues from ads is critical to maintaining a free of charge Internet.

Accordingly, the industry is constantly seeking ways to increase ad revenue. One of the most efficient methods is simply to increase the accuracy of the matching of specific ads to people who are most likely interested in those ads. As this accuracy increases, the likelihood that a viewer will click on an ad increases. Therefore, the per impression charges would increase, and more clicks are likely to occur, thereby increasing per-click revenue.

Enter behavioral targeted advertising. The technology is simple. An ad network serves ads. When it serves ads, the network will place one of those “harmless” little cookies on a visitor’s computer. Let’s examine Google, which is the largest ad network, as an example: Google has 1,000s of websites as part of its network. So, when the visitor surfs from one site over to another, which very likely is also part of the Google publisher network, the cookie will indicate the prior site or sites that the person visited. The information that a cookie can contain includes information such as pages and content viewed, the time and duration of visits, search queries entered into search engines, and whether a computer user clicked on an advertisement. Ads will then be served to visitors based upon this tracking information.

Problem: Ok, we recognize that this is a powerful tracking mechanism that can aggregate large quantities of information that many people would not feel comfortable aggregating. However, ad agencies claim that there really is no invasion of privacy or reason to be concerned because no individual is ever identified or associated with the gathered information. The only “identifying” information is the IP address which relates to a single device, but there is no way to connect that to an individual.

In the FTC Staff Report, the FTC does not buy this argument and believes that the gathering of non-personally identifiable information poses privacy concerns. Some of these reasons are:

  • This information can possibly be combined with personally identifiable information gathered from other sources.
  • It may be possible in the near future to actually identify a person from the IP address of their computer.
  • “Common identifiers” between personally identifiable information and non-personally identifiable information might provide a link between the two.
  • Studies indicate that even if individuals cannot be identified, the public is concerned that such tracking occurs.

As far as the FTC is concerned, the issue is not the collection, per se, of such data. Rather the invisibility of the data collection process to consumers (i.e., they don’t know that it is occurring and therefore have no ability to opt-in or opt-out) and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes.

Some Statistics on Google’s Presence: On June 2, 2009, The New York Times reported on a study released on June 1, 2009 by graduate students at the University of California. That study found that between Google Analytics (a free product that can be installed to allow gathering of statistics on visitor activities) and DoubleClick (owned by Google), Google had cookies present on 92 of the top 100 domains. Also, out of an examination of 400,000 domains, Google’s presence remained high at 88%, the runner up tracking company, StatCounter, only appeared on 7% of the 400 domains! Talk about a 500lb gorilla! Google’s presence on these third party sites derives from Google Analytics, DoubleClick and AdSense. Therefore, as one of the students preparing the study pointed out that even if someone does not go to, Google is collecting massive data about that person. Google claims that it does not, and does not have the ability to, aggregate the data from these various sources. However, the future capability is certainly within Google’s grasp, if it sought to go there.

Current State: The FTC Staff Report agreed that certain behavioral information gathered does not raise privacy concerns to a level that needs to be covered by the FTC guidelines. These include (1) first party behavioral tracking, which is where a single website tracks behavior only at its site and does not transfer this information to another website, because this is within the expectation of users of websites, and they are aware that it is being tracked, and (2) contextual tracking, where ads are served based upon the web page content, because this is not really tracking and the information is not retained – it is only used for serving the ads at the time the page is being viewed.

Regarding other behavioral tracking, the guidelines “recommend” the following that would apply to all sites where behavioral tracking occurs – which as shown above regarding Google, will apply to almost all websites: (1) sites where behavioral tracking occurs should provide a clear statement that this tracking occurs and allow consumers to choose whether to allow this tracking to occur, (2) security of retained data should take into account the sensitivity of the data (e.g., data on health, finances or children) and data should only be retained as long as necessary to fulfill a legitimate business or law enforcement need, (3) sites should receive affirmative express consent for material changes to existing privacy policies for previously collected data, and (4) companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

Heads Up: FTC Commissioner Jon Leibowitz, in his comment on the FTC Report stated: “Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission. Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.” Furthermore, privacy is on the Congressional table. Representative Rick Boucher (D-Va.) has said that he intends to introduce an online privacy bill later this year.

Wednesday, May 20, 2009

Virtual Worlds Do Not Mean Virtual Life: Death and Digital Assets

Problem: For many of us, our online presence has become substantial. Think in terms of Facebook, MySpace, Twitter, Flickr, PayPal, eBay, Gmail, Second Life … the list goes on and on, and will continue to get more complex and intertwined with our lives as each cyber year passes. Now, imagine what happens when someone dies or becomes disabled, and family members may not have either knowledge of or access to the accounts, passwords, etc. Consider the problems that can arise: 

  • An eBay business needs to continue operating
  • Funds in a PayPal account cannot be accessed
  • Photographs on Flickr may need to be removed
  • Loved ones may want to notify social network contacts of the person’s death or modify a Facebook page or blog to make it a memorial page
  • Family members may want to access historical emails contained in a Gmail account or blog archives or close a social network account
  • Domain names may need to be renewed or transferred 

Current State:  Some of these digital assets are personal in nature, and others are financial. However, actions in relation to these digital assets cannot be taken without first knowledge of the account and second knowledge of the user name and password. 

Most providers will not release account information without a court order, and by the time the court order is obtained, the usefulness of the access to many of these accounts may be moot. Account data can of course be placed in a will, but, like instructions as to burial preferences, access to this information often cannot wait for a review of the will. 

Consider this provision. Flickr is owned by Yahoo!, and both have the same Terms of Use. Here’s the relevant provision: 

No Right of Survivorship and Non-Transferability. You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.  

Currently, there is a lot of uncertainty as to the nature of digital assets and whether they are transferable under a will. Many digital assets may be categorized as intellectual property or may be financial in nature or may be considered protected by privacy considerations. However, they are also subject to the specific Terms of Use applicable to each site. To make matters worse, the outcome may vary from state to state.  

Several years ago, family members sued Yahoo! for access to the email of a Marine who died in Iraq. As a result the Oakland County Probate Court issued an order directing Yahoo! to grant the access. As you can see from the Yahoo! Terms of Use quoted above, this was the only way for the family members to get access. 

Difficult Questions: Service providers are in a difficult position. Email and other online accounts may contain sensitive personal information. Whose to say that the marine wanted others to access this account? Perhaps he would have preferred that the account would just be deleted. What are good reasons for giving people post-death/disability access to an account? Taking all this into consideration, it was appropriate for Yahoo! to wait for a court order, but would results in a long delay. Directions as to the disposal of such digital assets could be set forth in a will, which would at least speed up the process for obtaining a court order. 

Consider the implications of the following Facebook policy: 

Memorializing the account removes certain more sensitive information like status updates and restricts profile access to confirmed friends only. Please note that in order to protect the privacy of the deceased user, we cannot provide login information for the account to anyone. We do honor requests from close family members to close the account completely. 

Suggestions: There are various services being created that will hold digital assets and release them upon proof of death to named persons. However, most Terms of Use documents, even if not as explicit as Yahoo!, don’t allow accounts to be transferred, don’t allow user name and password information to be disclosed to third parties and don’t permit third parties to access the accounts. Therefore, websites should consider developing a policy for dealing with this issue and individuals should plan, on an asset by asset basis, how to dispose of these assets upon death or disability. Remember, our virtual existence does not live forever.

Friday, May 8, 2009

Blockbuster Online: Threatening enforceability of online Terms of Use

Background: It was a bad idea. Blockbuster Online participated in Facebook’s Beacon program. As part of the program, when someone with a Facebook account ordered a video through Blockbuster Online, Blockbuster would transmit information on the video ordered to Facebook, which would in turn distribute this information to the purchaser’s Facebook friends. Beacon was very controversial when first launched, and cries of privacy violations resulted in Facebook revising the program. However, in addition to a possible privacy violation, Blockbuster’s participation may have also violated the Video Privacy Act (18 U.S.C. Sec. 2710), which prohibits a videotape service provider from disclosing personally identifiable infomation about a customer and video titles ordered without consent. As a result, a class action was initiated against Blockbuster. One would have thought that Blockbuster would be quite on top of the requirements of the Video Privacy Act … oh well…

Defense: Blockbuster’s initial defense focused on a technicality. A provision in its website terms requires two things: disputes must be resolved by binding arbitration and customers waive the right to join in a class action. Customers accepted the website terms by checking off a “checkbox” before ordering videos. The plaintiffs claimed that the arbitration and class action waiver clauses were illusory, and should not be unenforceable against them. The U.S. District Court for the Northern District of Texas issued a decision on April 15, 2009, essentially agreeing with the plaintiffs’ claims.


Holding:  The Blockbuster court’s decision may be an example of desiring to reach a conclusion – in spite of the precident it relied on. The court held that since Blockbuster, under its website terms, had the unilateral right in its discretion to change the website terms at any time, and the website terms did not limit the application of amendments to the dispute resolution terms to disputes arising after the amendment, the arbitration clause was illusory. The court relied on a prior ruling in Morrison v. Amway Corp. (517 F.3d 248 (5th Cir. 2008)).


The problem is that the court in Morrison dealt with a case where Amway sought to apply an arbitration clause which was added at Amway’s discretion by amendment after the original agreement was entered into and Amway sought to apply the arbitration to a cause of action that arose prior to the addition of the arbitration clause. Both of these factors where not present in Blockbuster, where the arbitration clause was present in the original agreement. As a matter of fact, the Morrison court itself distinguished the case from another case where the arbitration clause was applicable from the date of the original signing of the agreement.


Impact: The Blockbuster court’s reliance on Morrison is questionable, as discussed above, and may be overturned on appeal. If not, then the issue can probably be resolved by providing in website terms that changes to dispute resolution provisions will only apply to disputes that arise after the change goes into affect.


The problem with Blockbuster is that the rationale is stated in somewhat broad terms and could be viewed as holding that website terms in general that may be unilaterally modified are illusory and unenforceable. Almost all website terms allow for unilateral modifications – so such an interpretation would have extremely broad impact.

Practical suggestions/pointers:

Regardless of whether the Blockbuster decision is overturned on appeal, there is a trend in the courts to attempt to weaken website’s one-sided control over website terms. Therefore, the following is recommended: 

  • Website terms should be reasonable and mutual to avoid claims of unconscionability.
  • Since website terms will continue to contain language giving the website the right to unilaterally change the terms, the website terms should state that these changes should not apply retroactively and, in particular to dispute resolution provisions, changes should not apply to causes of action arising prior to the effective date of the changes. 
  • Websites should use the best means practically available to notify users of changes to the website terms (email, posting notices on website home page, including version dates for all website terms and highlighting material changes that are made). 

Thursday, April 30, 2009

The Amazon Tax: Coming soon to a state near you

Background: Last year, New York started requiring certain out-of-state online vendors to collect and pay New York sales tax on purchases made by New York residents. This has become known as the “Amazon tax,” because Amazon was one of the high profile sites affected and embroiled in the ensuing controversy.

In order to impose sales tax collection requirements on out-of-state vendors, New York had to get around the 1992 U.S. Supreme Court ruling in Quill v. North Dakota (504 U.S. 298 (1992)), which held that out-of-state retailers cannot be required to collect sales tax on sales to persons in states where the retailer does not have a physical presence, because requiring merchants to adhere to the complexities of the state and local tax codes would place an unreasonable burden on interstate commerce.

The New York law gets around Quill by claiming that a physical presence can be established for an out-of-state online retailer (like Amazon) if sales are derived from affiliate sites located in New York that link to Amazon products from their sites with the objective of receiving commissions on the sales. The New York law only applies to online retailers that collect at least $10,000 in annual revenue from affiliates located in New York (unless there is some other physical presence found). It is important to note that prior to this new law, New York consumers were required to report these out-of-state purchases on their tax returns, but this was a law observed in the breach - nobody really did it. The new law is expected to raise $50 million a year – important money in these times of shrinking tax revenue for local municipalities. 

Fallout: There were two predictable backlashes from the Amazon tax –

(1) A lawsuit seeking summary judgment against New York, which was filed by Amazon and Overstock. However, on January 12, 2009, a New York State judge dismissed those lawsuits, potentially throwing the case into the Court of Appeals.

(2) Cancellation of relationships with New York affiliates, which was done by Overstock in an effort demonstrate that the Amazon tax will actually result in a decrease in tax revenue due to loss of income by New York affiliate sites. 

Current Developments: In the next week few weeks, legislators are expected to introduce bills drafted by the National Conference of State Legislatures in the House and Senate doing away with the “physical presence” requirement. The result is that states would be able to require out-of-state vendors to collect sales tax from in-state purchases.  If such a bill passes, all online retailers, except for the smallest, would very quickly be required to collect sales taxes in the 23 states that are part of the Streamlined Sales Tax Project. Other states would soon follow suit.

The question is not whether such a bill will pass, but only when it will pass. However, the jury is out as to whether such a bill will pass in 2009. The argument that imposing sales tax would hamper the growth of the Internet no longer holds much water now that the Internet has become a powerful and entrenched economic environment. Amazon actually supports the federal legislation, but is concerned about the difficulty of complying with a myriad of state and local sales tax regimes. eBay, on the other hand, is very against the measure, because such a law would impose a burden on its sellers to collect and pay the taxes (and not on eBay). 

Practical suggestions/pointers: 

Expect more states to try to emulate New York and not wait around for federal legislation. For instance, a proposal to tax certain online sales in Maryland modeled after the New York law was initiated this year, but remained in committee a few days before the end of the Maryland General Assembly's regular session. Maryland estimates it could raise $7 million annually from such a tax. 

Expect affiliate marketing programs that have served to speed the growth of the Internet and e-commerce to become more restrictive in order to avoid these new laws. 

Start planning and budgeting for resources necessary to comply with sales tax collection laws from numerous states – because it’s only a matter of time.