Thursday, April 28, 2011

States on the Warpath

In the last few months, three states (Illinois, Arkansas and South Dakota) have enacted “nexus expanding” legislation effective on July 1, 2011. Other states are considering adopting such legislation. The legislation falls into three categories: (1) click-through nexus; (2) reporting obligations; and (3) “affiliate” or “attributional nexus.”

We have previously written about the Illinois click-through nexus law (here and here), which we believe is unconstitutional since it purports to establish nexus (with no opportunity to rebut the determination) for any retailer that contracts with a person “located in Illinois” who receives a commission from the retailer based on sales of goods facilitated by a link from the person to the retailer’s web site. We will not describe here the details as to why the statute is unconstitutional, other than to note that mere national advertising, which is what the click-through represents, has never been deemed to create nexus, as pointed out in the Quill v. North Dakota case. In addition, online retailers should carefully review the Illinois statute and its requirements before deciding whether it applies to them.

The other recently-adopted nexus click-through legislation is the Arkansas law, which, unlike the Illinois statute, creates only a presumption of nexus that can be rebutted by a showing that the person maintaining the web site that provides a link does not engage in solicitation on behalf of the retailer. The statute is modeled after the New York statute, and it is possible for a retailer to structure its program with its Arkansas affiliates so as not to be subject to Arkansas sales tax collection obligations.

I also note that there is pending legislation in several states that is similar to the Arkansas statute and not the Illinois statute. (See our recent discussion of pending legislation here.)

The South Dakota statute requires all non-collecting retailers that have annual gross sales into South Dakota of $100,000 or more to provide a “transactional notice.” The transactional notice should appear both on the retailer’s web site and in catalogs and purchase orders/receipts. Because the law applies only to non-collecting retailers, who by definition do not have a physical presence in the state and who are out-of-state retailers, it suffers from the same constitutional infirmities that caused the Colorado federal court to issue a preliminary injunction staying the enforcement of a very similar statute in Colorado.See Direct Marketing Ass’n v. Huber, 2011 WL 250556 (D. Colo. 2011).

In the final category of statutes, both Arkansas and Illinois also provide for attributional nexus for commonly-owned companies when an affiliate has a physical presence in the state. The Illinois statute provides that an out-of-state retailer has nexus with the state if it has a contract with an affiliate who both sells a similar line of products under a substantially similar name as the online retailer and receives a commission from the out-of-state retailer. The Arkansas statute provides a more expansive definition of a company required to collect sales tax and bases its requirement upon either the retailer’s use of the in-state affiliate to act on behalf of the retailer or the retailer’s use of substantially similar trademarks or tradenames as used by the in-state affiliate.

In short, much of the new legislation is constitutionally suspect. How the states choose to enforce the laws, and how the industry reacts, is a work in progress. Individual companies should carefully review their own nexus profile and circumstances to determine the applicability of this new legislation.

Tuesday, April 26, 2011

Commercial Privacy Bill of Rights Introduced in Congress

The introduction of the so-called Commercial Privacy Bill of Rights by Senators Kerry and McCain on April 12, 2011 suggests that we may be about to enter an era of robust regulation of information gathering regarding the online browsing and shopping habits of consumers. This type of data has come to be an important tool for online marketers to improve the efficiency of online advertising buys, and to improve other marketing techniques. At a minimum, this development presents a risk that online merchants will need to build out substantial new technical infrastructure to accommodate a welter of new rules under this bill. Beyond that, it may make it difficult even for highly respected and responsible merchants to engage in marketing activities that are an important part of their tool kit in the information age.

Among other things, the bill contains the following requirements:
  • Collectors of information must implement security measures to protect the information they collect and maintain.
  • Collectors of information must provide clear notice to individuals of the collection practices and the purposes of such collection. Additionally, collectors must provide the ability for an individual to opt out of any information collection that is unauthorized by the Act and to provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information. Respecting companies’ existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require "robust and clear" notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.
  • Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
These requirements can be expected to have significant operational impacts on direct marketers. The requirement for notice and opt-out rights for a series of practices that are quite technical in nature promises to be easier said than done. Existing privacy laws require only notice of the collection of personal information (much more narrowly defined than in this bill) and only very limited opt-out rights–essentially limited to CAN-SPAM compliance. This new bill would potentially require merchants to allow consumers to opt out of the collection of pixel tags, the placing of cookies, and the sharing of data harvested from those tools with third parties. Simply building the tools necessary to collect and implement those requirements would pose significant burdens and costs for online marketers, and may very well be beyond the abilities of many merchants.

Further, the bill stretches the definition of personal information beyond any commonly understood meaning of that term. It includes email addresses and postal addresses, and if "used, transferred or stored" in connection with any of the foregoing, birth date, and most significantly, "unique identifier information." Unique identifier information is defined as "a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number." This definition essentially means that virtually any data collected about a browsing session will be protected by this statute, with strict limits on the ability to use or transfer that data without approval.

The existence of an "established business relationship" exception to some of the requirements of the bill provides cold comfort. It applies not to the commonly understood relationship of customer and merchant, but only to the "establishment of an account." While this may be typical of some merchants' relationships with their customers, many retailers do not require the establishment of an account in order to make a purchase. It is interesting to note, however, that the 800 pound gorillas in the online space, notably Google and Facebook, would be the most likely to benefit from this exception.

The bill seeks to accomplish these objectives by requiring the FTC to promulgate regulations effectuating the statute's requirements for the most part within 60 to 180 days after enactment of the bill, depending upon the provision at issue. Accordingly, it will likely be a long time before these requirements take effect (if ever), given the Congressional legislative calendar, and the frequently protracted rule-making process that would attend any promulgation of regulations. During both the legislative process and the regulatory process, the direct marketing industry will have an opportunity to point out the technical challenges presented by this statute, as well as the potential unintended consequences, including damage to the economy, that the statute could create.