Thursday, March 11, 2010

Colorado's HB 1193 Risks Constitutional Violations and Threatens Consumer Privacy

The assault on eCommerce by short-sighted state legislators and tax officials continues. By now, many of you have heard or read about the new Colorado law (HB 1193) enacted in February, that imposes certain sales tax notice and reporting obligations upon each “retailer that does not collect Colorado sales tax.” Under the law, most non-collecting retailers are required:

(a) beginning effective March 1, 2010, to inform their Colorado purchasers of the purchaser’s duty to remit use tax on certain purchases under Colorado law;

(b) beginning in January 2011, to provide Colorado purchasers an annual statement of all of their Colorado purchases from the retailer; and

(c) beginning in January 2011, to file annually with the Colorado Department of Revenue a list of all purchasers and the amount of their Colorado purchases.

These new obligations are backed by substantial penalties for retailers that do not comply. Amazon.com reacted to the passage of the bill by terminating all of its Colorado online affiliate relationships, angering Colorado lawmakers who had worked with Amazon and its local affiliates in removing “New York style” affiliate nexus provisions from earlier drafts of the bill.

But the tiff between Amazon and Colorado is really a side-show that masks the genuine problems with the law, including both potential constitutional violations and invasions of consumer privacy. Colorado lawmakers and revenue officials made no secret during debate on the bill that the new law was expressly intended to force out-of-state online and direct marketers to begin collecting Colorado use tax on their sales to Colorado residents, despite constitutional prohibitions against the imposition of such tax obligations under the Commerce Clause, as reaffirmed by the Supreme Court in Quill Corp. v. North Dakota.

The burdens imposed by the new law are real and discriminatory; no Colorado retailer is required to comply with them, but out-of-state online and direct marketers’ compliance is mandatory. Also, given the propensity for “copy cat” nexus legislation among the states in recent years, such laws are likely to proliferate in other state legislation soon, unless online and direct marketers (and voting consumers) trumpet the problems with such laws. Already, the South Dakota Department of Revenue & Regulation is following Colorado’s lead by informally demanding that out-of-state companies provide it a list of in-state purchasers who may owe use tax.

Consumers should take note because the new Colorado law suggests that some state lawmakers feel that the answer to encouraging increased use tax compliance by online shoppers is the systematic invasion of their privacy, on a massive scale. Under the Colorado law, every online and mail-order purchaser in Colorado will have the source and amount of his or her purchases from out-of-state sellers fully documented in Colorado Department of Revenue databases, down to the last penny. Such files are presumptively public records, and thus potentially subject to disclosure under Colorado’s Open Records Law. Furthermore, even if the Department resists the formal requests for access to such records that will inevitably come, public agencies such as the Department are typically not subject to data security laws (for example, Colorado’s data breach statute applies only to individuals and commercial entities), and thus unlike private businesses are not compelled to have meaningful data security measures in place. Little wonder the great majority of all data breaches have occurred through public agencies, including other Colorado agencies.

Voters in other states beware.