In an unusual move, the Department of Commerce has chimed in on the question of Internet data privacy, issuing a 78-page report from its Internet Policy Task Force. While the Chairman of the FTC has welcomed the new report, the business-oriented tone of the Commerce report suggests that a battle is brewing. Indeed, the report offers strong support for a “voluntary, multi-stakeholder process” that includes businesses as important, cooperative partners, while the FTC treats voluntary efforts by industry -- and industry itself -- almost contemptuously. While Commerce defers to the FTC as the primary enforcement authority, it also stages what appears to be a power grab to take a leadership role in defining how industry will or will not be regulated in the areas of privacy and information security.
So, what exactly is the Commerce report, and where is it likely to lead? The Commerce report refers to itself as a “green paper,” which one might think is a nod to wholesome environmental practices. Actually, in government-speak, a green paper is merely a tentative proposal or call for comments that might lead, eventually, to a white paper, which is a more formal statement of governmental policy. As a result, both the Commerce report and the FTC initiative reflect tentative steps in the direction of statutory, regulatory, and policy changes. How far they proceed is a matter of guesswork, particularly with a new and more conservative Congress waiting in the wings.
The Commerce Report Sounds the Defense of the Status Quo In Privacy Regulation, Founded In Large Part On Self-Regulation By Industry. The Commerce report praises almost unconditionally the handling of the Internet under US law, focusing mainly on at the success of industry as voluntary self-regulators. The report also posits the Department of Commerce itself as the leadership entity within the US Government on privacy matters, and claims a power to “ensure the Internet fulfills its social and economic potential.” The FTC’s mandate of protecting consumers from commercial abuses is far narrower. Direct marketers may have found, in the Department of Commerce, a voice to stand up to the newly regulation-happy and business-unfriendly FTC, and one that is ready to take power from the FTC. This could not be clearer than in Commerce’s own recommendation that an overarching Privacy Policy Office be created under its regulatory umbrella.
FIPPs. Commerce’s approach centers on the “broad adoption” of Fair Information Privacy Practices (“FIPPs”) that are sweeping and general enough to provide “ample flexibility” and “encourage innovation,” and envisions these being reflected in “voluntary, enforceable codes of conduct.” If they are voluntary, of course, they likely would not be promulgated in the form of statutes and regulations. If they are nonetheless enforceable, it would seem as if Commerce -- at least in part -- envisions trade groups and associations to require adherence by members and to provide for their own policing. Whatever the implications, they are different from the FTC’s report requesting that Congress invest it with greater legal authority over privacy matters. The FIPPs, as envisioned by Commerce, would include “simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill those purposes, and the expanded use of robust audit systems to bolster accountability.”
The PPO. Commerce’s proposed Privacy Policy Office is intended to be both “the convener of diverse stakeholders” on privacy matters, but also the “center of Administration commercial data privacy expertise.” It would work with the FTC in “leading efforts to develop voluntary but enforceable codes of conduct.” In a sentence that likely made career FTC employees cringe, Commerce states that compliance with such voluntary codes would serve as a “safe harbor for companies facing certain complaints about their privacy practices.” In other words, compliance with these voluntary codes could potentially insulate a company from privacy and security related claims asserted by the FTC, the individual states, and potentially even money-hungry class action lawyers. Of course, the scope of the “safe harbor” protection is not made especially clear in the Commerce report, and past experience—as in the telemarketing area—suggests that Congress could seriously fumble on the issue preemption of state laws and limitations on bankrupting class action lawsuits.
Uniform Security Breach Notification Rules? The Commerce report takes on an issue that has plagued direct marketers in recent years, and on which Congress has been unable to anything meaningful. Specifically, it proposes replacing the patchwork of dozens of inconsistent state security breach laws with a single national law. While this would put an array of consultants out of business, it would—if done correctly—remove significant regulatory expense (and uncertainty) from the shoulders of direct marketers of all sizes.
Overall, the Commerce report, if it is taken at face value as a genuine reflection of the Department of Commerce's position on commercial privacy matters, is a breath of fresh air. Unlike the FTC's report, which treats things like personalized advertisements as horrible invasions of privacy, the Commerce report reflects an understanding that the collection and use of customer information by businesses has an important place in not only bolstering the growing internet economy, but also serving legitimate consumer and business interests. And, unlike the FTC, places the greatest governmental focus on far more important privacy issues like data security and identity theft.
We are now at the beginning stages of a great debate about Internet privacy that could result in considerable change to the regulatory landscape. In subsequent blog posts, we will be addressing in greater detail individual issues raised by both the Commerce and FTC reports, and provide insights how the debate is evolving.
We wish all of our readers a wonderful holiday season!
Friday, December 24, 2010
Tuesday, December 21, 2010
6th Annual International Conference on Contracts
6th Annual International Conference on Contracts. Stetson University College of Law and Texas Wesleyan School of Law are co-sponsoring the 6th Annual International Conference on Contracts, February 18–19, 2011, at Stetson’s beautiful campus in Gulfport, Florida. Similar to prior contracts conferences held at UNLV, McGeorge, South Texas, Texas Wesleyan, and Gloucester, England, this conference is designed to afford scholars and teachers at all experience levels an opportunity to present and discuss recently published papers, forthcoming papers, works in progress, and pedagogical innovations, and to network with colleagues from the United States and around the globe. Stewart Macaulay, Professor of Law Emeritus at the University of Wisconsin, is the keynote speaker. A few places remain available for panelists and moderators at the conference. Proposals for presentations will be considered on a rolling basis until spaces are filled, but no later than January 15. For more information or to register online, visit www.law.stetson.edu/conferences/contracts. Contact person: Associate Dean James Fox fox@law.stetson.edu.
- JSM
Monday, December 20, 2010
What are they teaching kids about finance and budgeting?
My eighth grade daughter just participated in a program on finances and budgeting sponsored by Junior Achievement. A Junior Achievement teen personal finance survey reports that more than half of teens are not confident that they will make sound choices in terms of credit. Moreover, nearly all teens think they should have a credit card by age 21. The survey observes:“Teens are admitting that they don’t have knowledge of some of the basic money management skills around investing, budgeting and using credit. Despite the alarming numbers, teens overwhelmingly have high hopes for future financial stability. The poll shows we need to do a better job of ensuring our youth are financially literate. JA offers a broad range of age-appropriate financial literacy curricula, from kindergarten through grade 12.”So, all of this sounds a little dire. Making the work of Junior Achievement even more important, of course. And perhaps a few basic tips from Suzi Orman are in order? Not surprisingly, we talk to our daughter about making wise choices and living within her means. This would include everything from buying items on sale to purchasing used items on sites like Craigslist. We also talk to her about being a good citizen in terms of the environment as well, including walking and biking when possible. That is, not everyone (particularly college students) needs a car.
I was ready to embrace the Junior Achievement concern to educate teenagers, until my daughter started asking me questions about the workbooks her teacher assigned. She understood her profile to be a college student who has a job earning about $30,000 per year. A little unrealistic for a college student, but all right. The program has the student fill out budgets. This is where my daughter had many questions and I simply could not support the choices the program expected. For instance:
- The workbook not only mandated that she purchase a car (whether she could afford it or not), but also required her to take out a five year loan on the car. In the summer Oprah magazine, Suzi Orman yet again blasted this practice advising against car loans more than 36 months or less (7 Deals You Should Never Make). Basically, perhaps one needs to shop for a less expensive car.
- The workbook also mandated that she replace $650 of household furnishings and that she must put it on a credit card and pay for it that way. Apparently, no option to save up and buy in cash or to purchase something used.
- The workbook required an apartment. While the student could get roommates, there was no easy way for the student to select a less costly alternative of living in a college dormitory where utilities, rent and food are typically included.
In the end, I advised her on how to best fill out her worksheets making the least devastating decisions. She did budget for buying household furnishings with cash and saving most of the money as a down-payment for the car. While I might have been fine with this if it was designed to teach teens the devastating impact of debt, there were no comparisons to other models or advise on better decisions. I also wrote a note in the workbook for the teacher asking him not to teach our children that it is fine to enter into these types of credit and financial situations.
The result of all this? The teacher was angry with her when he saw the worksheets and gave her a D for not following the program requirements. She had waited until the last minute to finish this, so her work was not as neat as it should have been, but really? Maybe the teacher will reconsider. In the end, I'd rather her get a D on the junior achievement and an remain solvent for a lifetime. Isn't all this debt part of what lead to the financial crisis?
- JSM
Income Tax Nexus in a Digital World
We have written extensively in this blog about nexus for sales tax and gross receipts tax purposes. All but a few states have an income tax. In addition to the Due Process Clause and Commerce Clause standards of nexus, out-of-state companies are protected from income tax of other states by a federal statute, Public Law 86-272, which is found at 15 U.S.C. § 381. P.L. 86-272 provides an exemption only for state income tax and sets forth a fairly clear, but somewhat limited, standard for the exemption.
The exemption applies if a company’s activities in another state include only the solicitation of sales of tangible personal property by an employee, representative, or independent contractor for delivery of inventory located outside the state to residents of the state, if orders are accepted outside the state. The exemption also extends to maintenance by an independent contractor of an office in the state. Thus, while solicitation activities of an out-of state company in a state would create nexus under the Commerce Clause and Due Process Clause standards, if the solicitation is limited to the sale of tangible personal property and, subject to the other limitations in the underscored portions above, the company would be exempt from the state’s income tax.
There have been a number of cases defining solicitation (See, e.g., Wisconsin Department of Revenue v. William Wrigley, Jr., 112 S.Ct. 2447 (1992)). And the MTC has issued guidelines, which many states have adopted, defining protected and unprotected activities under P.L. 86-272. See Statement of Information Concerning Practices of Multistate Tax Commission and Signatory States under Public Law 86-272 (Multistate Tax Commission, Third Revision adopted July 27, 2001).
The cases and guidelines make it clear that if a company solicits the sale of services as well as tangible personal property, the exemption of P.L. 86-272 does not apply. See, e.g., Amway Corp., v. Director of Revenue, 794 S.W.2d 666 (Mo. 1990). Thus, a pertinent issue under P.L. 86-272 is whether the items being sold by an out-of-state company constitute tangible personal property or services.
Public Law 86-272 does not define the term “tangible personal property.” Recently, the New Jersey Tax Court helped clarify that standard with regard to software. See Accuzip, Inc. v. Director, Division of Taxation, 25 N.J. Tax 158 (2009). In Accuzip, the New Jersey Tax Court determined that prewritten computer software constitutes tangible personal property based upon the sales and use tax law’s definition of tangible personal property and U.S. Treasury Regulations regarding the transfer of software.
In the digital world, resort to sales and use tax law or federal tax law may be helpful to taxpayers in determining whether the products they sell are tangible personal property. For instance, in several states digital music and digital books are deemed tangible personal property subject to the sales tax. In those states, taxpayers will argue that they are protected by the federal statute by citing the sales tax law and the New Jersey Tax Court’s decision in Accuzip.
The exemption applies if a company’s activities in another state include only the solicitation of sales of tangible personal property by an employee, representative, or independent contractor for delivery of inventory located outside the state to residents of the state, if orders are accepted outside the state. The exemption also extends to maintenance by an independent contractor of an office in the state. Thus, while solicitation activities of an out-of state company in a state would create nexus under the Commerce Clause and Due Process Clause standards, if the solicitation is limited to the sale of tangible personal property and, subject to the other limitations in the underscored portions above, the company would be exempt from the state’s income tax.
There have been a number of cases defining solicitation (See, e.g., Wisconsin Department of Revenue v. William Wrigley, Jr., 112 S.Ct. 2447 (1992)). And the MTC has issued guidelines, which many states have adopted, defining protected and unprotected activities under P.L. 86-272. See Statement of Information Concerning Practices of Multistate Tax Commission and Signatory States under Public Law 86-272 (Multistate Tax Commission, Third Revision adopted July 27, 2001).
The cases and guidelines make it clear that if a company solicits the sale of services as well as tangible personal property, the exemption of P.L. 86-272 does not apply. See, e.g., Amway Corp., v. Director of Revenue, 794 S.W.2d 666 (Mo. 1990). Thus, a pertinent issue under P.L. 86-272 is whether the items being sold by an out-of-state company constitute tangible personal property or services.
Public Law 86-272 does not define the term “tangible personal property.” Recently, the New Jersey Tax Court helped clarify that standard with regard to software. See Accuzip, Inc. v. Director, Division of Taxation, 25 N.J. Tax 158 (2009). In Accuzip, the New Jersey Tax Court determined that prewritten computer software constitutes tangible personal property based upon the sales and use tax law’s definition of tangible personal property and U.S. Treasury Regulations regarding the transfer of software.
In the digital world, resort to sales and use tax law or federal tax law may be helpful to taxpayers in determining whether the products they sell are tangible personal property. For instance, in several states digital music and digital books are deemed tangible personal property subject to the sales tax. In those states, taxpayers will argue that they are protected by the federal statute by citing the sales tax law and the New Jersey Tax Court’s decision in Accuzip.
Tuesday, December 14, 2010
Do As I Say, Not As I Do: The FTC "Do Not Track" Initiative Could Cripple E-Commerce
Just as governments – including our own – are pursuing aggressive new initiatives to gather information about our individual browsing habits and electronic communications for law enforcement purposes, the FTC has decided to advise Congress on sweeping initiatives to prevent direct marketers from engaging in far less invasive practices that present none of the grave risks attendant to enhanced government surveillance. Indeed, many of the commercial practices targeted by the FTC actually benefit consumers by assisting Internet sellers to configure their web sites, adjust their product offerings, and tailor advertising to the specific needs and interests of consumers. While the FTC shrilly intones that consumer information about Internet browsing has been used by an unidentified "some" in "an irresponsible or even reckless manner," it fails to acknowledge forthrightly that the vast majority of direct marketers use such information solely to better serve their customers, and that new laws and FTC initiatives are unlikely to faze the tiny group of Internet pirates who misuse consumer data.
Although most headlines have focused on the FTC's proposal for a "do not track" list, the FTC report is about much more than that. It foretells a highly aggressive new regulatory strategy that may change the landscape of Internet privacy without any concern for the cost impact on industry or a realistic assessment of the privacy interests of consumers. It sweeps so broadly against business as to suggest that–if the FTC has its way–even entirely benign and non-intrusive information collection practices that do not track individual consumers will be sharply curtailed. At the same time, new and intrusive requirements will be injected multiple times into virtually every consumer experience on the Web. If you do business on the Internet, you need to know what the FTC is hoping to unleash on eCommerce.
If the FTC has its way, you will need to redesign your web sites and emails to provide real-time notice and choice to every consumer, whether or not they make any purchases. The overarching theme of the report is highly paternalistic, suggesting that consumers are incapable of making informed choices about their buying decisions and Internet browsing activities. Thus, privacy policies and full disclosure of information collection practices are viewed dimly by the FTC. Instead, it commands that “consumers should [repeatedly] be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions.” Not only would implementation of such a scheme add substantially to the programming costs of commercial web sites, it could interfere significantly with the consumer purchasing experience. It is hard to imagine Web sales not suffering.
The FTC's "Do Not Track" Initiative Creates a Presumption Against Collecting Information About Web Site Usage, Even If that Information Is Not Individually Identifiable. The item in the report receiving the largest amount of press is the “do not track” recommendation. It would obligate direct marketers to implement technology – through something “similar to a cookie,” according to the FTC – that would prevent the collection of web browsing activities by individuals or individual browser installations. This would be mandated even if retailers do not actually collect individually-identifiable personal information. Indeed, the FTC report supports doing away with the line drawn in existing law between information that is personally identifiable and that which is not, claiming that “traditional distinctions between the two categories of data are eroding.” Because "some" companies allegedly find surreptitious ways to connect non-personal information to specific individuals, the FTC is ready to recommend that all companies be prevented from collecting even aggregate usage data, which could be a significant blow to retailers who use this data to obtain helpful information for their businesses. Data collection serves important functions that parallel the physical retail environment, including the measuring of foot traffic in certain areas of a store. Denying this data to retailers in its non-personally identifiable form suggests a significant lack of government understanding of – or at least a gross lack of sensitivity to – legitimate industry needs.
At present, the FTC, itself, believes that it does not have authority to implement a tracking system without further action by Congress. But, the pressure is on for Congress to enact a potentially sweeping new set of powers for the agency. In the interim, the makers of at least one popular browser, Firefox, are exploring ways to implement a “do not track” feature that leaves it to consumers to choose whether they will be tracked. Microsoft has already implemented a similar feature in its most recent release of Internet Explorer. This approach is far less onerous for retailers, but may rob them of the very data they need to present consumers with meaningful purchasing choices through targeted advertising. The least effective and most intrusive recommendation – that the FTC appears to favor – involves a “do not track” list that may leave it to Internet companies to figure out whether a person who is visiting their web site has chosen to place themselves on a list. Because the specifics have yet to be determined, it is unclear what this list would even look like. The FTC claims that a list of machine specific identifiers (as might be embedded in an operating system or hardware) or IP addresses is not a likely option.
Prepare to Open Your Files. Some of what the FTC report recommends is positive for the industry, including “standardized” privacy-related notices (which might reduce uncertainty surrounding potential challenges by privacy rights groups, among other things), but the context – including whether federally mandated notices would preempt individual states from enacting different or more complicated disclosure requirements and whether class action lawsuits would be permitted against violators – remains a mystery, and the potential perils for eCommerce are significant. Other FTC recommendations are chilling, including the requirement that companies provide customers “reasonable access” to all the data maintained about them and that the Children’s Online Privacy Protection Act’s onerous obligations be extended to cover children between the ages of 13 and 17.
What's Next? The FTC has asked for industry comments as it pushes forward with its new privacy initiative. This is a critical moment for direct marketers to be heard in petitioning the government to create and implement a more sensible, uniform approach to privacy protection that balances a realistic assessment of the potential harm to consumers against potentially dramatic and commerce-suppressing costs.
Although most headlines have focused on the FTC's proposal for a "do not track" list, the FTC report is about much more than that. It foretells a highly aggressive new regulatory strategy that may change the landscape of Internet privacy without any concern for the cost impact on industry or a realistic assessment of the privacy interests of consumers. It sweeps so broadly against business as to suggest that–if the FTC has its way–even entirely benign and non-intrusive information collection practices that do not track individual consumers will be sharply curtailed. At the same time, new and intrusive requirements will be injected multiple times into virtually every consumer experience on the Web. If you do business on the Internet, you need to know what the FTC is hoping to unleash on eCommerce.
If the FTC has its way, you will need to redesign your web sites and emails to provide real-time notice and choice to every consumer, whether or not they make any purchases. The overarching theme of the report is highly paternalistic, suggesting that consumers are incapable of making informed choices about their buying decisions and Internet browsing activities. Thus, privacy policies and full disclosure of information collection practices are viewed dimly by the FTC. Instead, it commands that “consumers should [repeatedly] be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions.” Not only would implementation of such a scheme add substantially to the programming costs of commercial web sites, it could interfere significantly with the consumer purchasing experience. It is hard to imagine Web sales not suffering.
The FTC's "Do Not Track" Initiative Creates a Presumption Against Collecting Information About Web Site Usage, Even If that Information Is Not Individually Identifiable. The item in the report receiving the largest amount of press is the “do not track” recommendation. It would obligate direct marketers to implement technology – through something “similar to a cookie,” according to the FTC – that would prevent the collection of web browsing activities by individuals or individual browser installations. This would be mandated even if retailers do not actually collect individually-identifiable personal information. Indeed, the FTC report supports doing away with the line drawn in existing law between information that is personally identifiable and that which is not, claiming that “traditional distinctions between the two categories of data are eroding.” Because "some" companies allegedly find surreptitious ways to connect non-personal information to specific individuals, the FTC is ready to recommend that all companies be prevented from collecting even aggregate usage data, which could be a significant blow to retailers who use this data to obtain helpful information for their businesses. Data collection serves important functions that parallel the physical retail environment, including the measuring of foot traffic in certain areas of a store. Denying this data to retailers in its non-personally identifiable form suggests a significant lack of government understanding of – or at least a gross lack of sensitivity to – legitimate industry needs.
At present, the FTC, itself, believes that it does not have authority to implement a tracking system without further action by Congress. But, the pressure is on for Congress to enact a potentially sweeping new set of powers for the agency. In the interim, the makers of at least one popular browser, Firefox, are exploring ways to implement a “do not track” feature that leaves it to consumers to choose whether they will be tracked. Microsoft has already implemented a similar feature in its most recent release of Internet Explorer. This approach is far less onerous for retailers, but may rob them of the very data they need to present consumers with meaningful purchasing choices through targeted advertising. The least effective and most intrusive recommendation – that the FTC appears to favor – involves a “do not track” list that may leave it to Internet companies to figure out whether a person who is visiting their web site has chosen to place themselves on a list. Because the specifics have yet to be determined, it is unclear what this list would even look like. The FTC claims that a list of machine specific identifiers (as might be embedded in an operating system or hardware) or IP addresses is not a likely option.
Prepare to Open Your Files. Some of what the FTC report recommends is positive for the industry, including “standardized” privacy-related notices (which might reduce uncertainty surrounding potential challenges by privacy rights groups, among other things), but the context – including whether federally mandated notices would preempt individual states from enacting different or more complicated disclosure requirements and whether class action lawsuits would be permitted against violators – remains a mystery, and the potential perils for eCommerce are significant. Other FTC recommendations are chilling, including the requirement that companies provide customers “reasonable access” to all the data maintained about them and that the Children’s Online Privacy Protection Act’s onerous obligations be extended to cover children between the ages of 13 and 17.
What's Next? The FTC has asked for industry comments as it pushes forward with its new privacy initiative. This is a critical moment for direct marketers to be heard in petitioning the government to create and implement a more sensible, uniform approach to privacy protection that balances a realistic assessment of the potential harm to consumers against potentially dramatic and commerce-suppressing costs.
Subscribe to:
Posts (Atom)