On Thursday, April 24, the U.S. Senate delayed its vote on S. 743, the “Marketplace Fairness Act,” which was originally expected as early as this week, until Monday, May 6, 2013. In the final procedural vote before the Senate takes up the bill on May 6, there was growing opposition to the fact that the bill had skipped the committee process, but there appeared to still be enough votes for passage. Earlier in the week, the vote to proceed without committee action was 74–20; on April 24 it was 63–30. More senators appeared to be concerned that careful consideration via a committee hearing is imperative before authorizing states to impose the complex existing state and local sales tax system on ecommerce and remote sellers. As we have commented before, the Marketplace Fairness Act fails to include such fundamental simplification measures as one tax rate per state, uniform tax bases and exemptions, vendor compensation requirements, and the harmonization of state sales tax holidays. Readers can learn more about true sales and use tax simplification here.
The House of Representatives has yet to take up the parallel bill (H.R. 684). We will continue to follow developments on federal legislation.
Friday, April 26, 2013
Thursday, April 25, 2013
Beyond California and Massachusetts: Will Collecting Zip Codes Invite Class Actions Across the United States?
Although California and Massachusetts have stolen the spotlight with high profile cases banning zip code collection in connection with credit card purchases, thirteen other states and the District of Columbia have similar laws. With voracious class action attorneys circling, it is critical for retailers to know their legal obligations in these jurisdictions and, if necessary, adjust their privacy practices and policies.
Yet, because these statutes are to varying degrees vague, untested, and archaic, compliance can be difficult. At the same time, the risks could scarcely be higher. Hundreds of companies have already been ensnared in consumer class action lawsuits in California and Massachusetts, and the litigation floodgates may now open in other states as well. And the math is simple. With penalties as high as $1,000 every single time a zip code, address, or telephone number is collected illegally--for periods going back as far as six years--even a relatively small company could face a liability in the millions or tens of millions of dollars. You're also likely to be required to pay the plaintiffs' legal fees if you lose, which are often as much as one-third of the penalty calculation.
The State Law Landscape. A general baseline for state statutes governing the collection of personal information during credit card transactions is a prohibition against retailers requiring customers to provide certain information in connection with a credit card transaction. California and a few other states, including Wisconsin, go further, barring even the requesting of such information. Other states, like Massachusetts, prohibit the "writing" of such information, usually on "a credit card transaction form" -- although, as the industry learned in Massachusetts, writing doesn't necessarily mean writing (it can mean inputting information electronically) and a "transaction form" might be interpreted to include a marketing database (the Massachusetts court dodged this issue for now).
Not Just Zip Codes. Seven states appear to limit their prohibitions to customers' addresses and telephone numbers, and not the sweeping concept of "personal identification information" included in the California and Massachusetts statutes. (In California, for example, "personal identification information" is defined as information not appearing on the face of a credit card, and so it could include not only zip codes, but also a state of residence, a birthday, an email address, or a person's gender.)
But, even in the states that expressly limit their bans to addresses and telephone numbers, the decisions in Massachusetts and California reveal a path by which these statutes might be interpreted to reach the collection of zip codes only. For example, the Supreme Court of Massachusetts felt free to deem zip codes to be "personal identification information" because "a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information § 105 (a) expressly identifies as personal identification information." As a result, the court found that not extending the prohibition to zip codes "would render hollow the statute's explicit prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection." In other words, even if you are not collecting addresses and telephone numbers in these states, you could still be at risk.
Exceptions. Most of these statutes have exceptions that benefit direct marketers. California, for example, allows retailers to collect zip codes and other "personal identification information" if it "is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders." In other states, like Massachusetts, the exception is more narrowly drawn, and, in some states, there are no exceptions at all. And even for those laws which allow address information to be collected for shipping, the exception does not extend to address collection in gift transactions where the billing address and the shipping address are different.
Enforcement. Of course, one of the biggest issues for direct marketers is the risk of being the subject of a government investigation or a class action lawsuit. The risk of government enforcement (by a state attorney general, for example) is likely low in all states except in the event of a data breach--which underscores the need for companies to have in place information privacy and security policies that reduce the risks of such a breach. As importantly, states are unlikely to seek astronomical penalties from retailers, something that is the bread and butter of class action cases.
The risk of a federal or state class action lawsuit--on behalf thousands upon thousands of consumers--is much higher. These privacy statutes are very attractive to class action lawyers because they often have a "per violation" penalty that can drive potential recoveries into the stratosphere. This, in addition to provisions that allow plaintiffs (but not defendants) to recover attorneys' fees, makes them a very attractive basis for filing a barrage of lawsuits in the hopes that some of them will succeed or, even in failing, provoke lucrative settlements.
In the past, privacy-related class actions have often foundered because the plaintiffs could not demonstrate any "injury." Many state consumer protection laws, including the one in Massachusetts, require such an injury to allow a suit to go forward. (Some, like California, Wisconsin, and the District of Columbia, do not require a showing of injury.) But, we learned from the Michaels case in Massachusetts that courts can stretch the concept of "injury" beyond recognition. The Supreme Court of Massachusetts found that the "invasion of privacy" caused by the receipt of a just one unwanted catalog was sufficient "injury" to maintain a class action lawsuit. In Michaels, it was alleged that the retailer used the zip code to obtain customers' mailing addresses, and then sent unsolicited catalogs to those addresses. That was the extent of the "harm."
Yet, because these statutes are to varying degrees vague, untested, and archaic, compliance can be difficult. At the same time, the risks could scarcely be higher. Hundreds of companies have already been ensnared in consumer class action lawsuits in California and Massachusetts, and the litigation floodgates may now open in other states as well. And the math is simple. With penalties as high as $1,000 every single time a zip code, address, or telephone number is collected illegally--for periods going back as far as six years--even a relatively small company could face a liability in the millions or tens of millions of dollars. You're also likely to be required to pay the plaintiffs' legal fees if you lose, which are often as much as one-third of the penalty calculation.
The State Law Landscape. A general baseline for state statutes governing the collection of personal information during credit card transactions is a prohibition against retailers requiring customers to provide certain information in connection with a credit card transaction. California and a few other states, including Wisconsin, go further, barring even the requesting of such information. Other states, like Massachusetts, prohibit the "writing" of such information, usually on "a credit card transaction form" -- although, as the industry learned in Massachusetts, writing doesn't necessarily mean writing (it can mean inputting information electronically) and a "transaction form" might be interpreted to include a marketing database (the Massachusetts court dodged this issue for now).
Not Just Zip Codes. Seven states appear to limit their prohibitions to customers' addresses and telephone numbers, and not the sweeping concept of "personal identification information" included in the California and Massachusetts statutes. (In California, for example, "personal identification information" is defined as information not appearing on the face of a credit card, and so it could include not only zip codes, but also a state of residence, a birthday, an email address, or a person's gender.)
But, even in the states that expressly limit their bans to addresses and telephone numbers, the decisions in Massachusetts and California reveal a path by which these statutes might be interpreted to reach the collection of zip codes only. For example, the Supreme Court of Massachusetts felt free to deem zip codes to be "personal identification information" because "a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information § 105 (a) expressly identifies as personal identification information." As a result, the court found that not extending the prohibition to zip codes "would render hollow the statute's explicit prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection." In other words, even if you are not collecting addresses and telephone numbers in these states, you could still be at risk.
Exceptions. Most of these statutes have exceptions that benefit direct marketers. California, for example, allows retailers to collect zip codes and other "personal identification information" if it "is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders." In other states, like Massachusetts, the exception is more narrowly drawn, and, in some states, there are no exceptions at all. And even for those laws which allow address information to be collected for shipping, the exception does not extend to address collection in gift transactions where the billing address and the shipping address are different.
Enforcement. Of course, one of the biggest issues for direct marketers is the risk of being the subject of a government investigation or a class action lawsuit. The risk of government enforcement (by a state attorney general, for example) is likely low in all states except in the event of a data breach--which underscores the need for companies to have in place information privacy and security policies that reduce the risks of such a breach. As importantly, states are unlikely to seek astronomical penalties from retailers, something that is the bread and butter of class action cases.
The risk of a federal or state class action lawsuit--on behalf thousands upon thousands of consumers--is much higher. These privacy statutes are very attractive to class action lawyers because they often have a "per violation" penalty that can drive potential recoveries into the stratosphere. This, in addition to provisions that allow plaintiffs (but not defendants) to recover attorneys' fees, makes them a very attractive basis for filing a barrage of lawsuits in the hopes that some of them will succeed or, even in failing, provoke lucrative settlements.
In the past, privacy-related class actions have often foundered because the plaintiffs could not demonstrate any "injury." Many state consumer protection laws, including the one in Massachusetts, require such an injury to allow a suit to go forward. (Some, like California, Wisconsin, and the District of Columbia, do not require a showing of injury.) But, we learned from the Michaels case in Massachusetts that courts can stretch the concept of "injury" beyond recognition. The Supreme Court of Massachusetts found that the "invasion of privacy" caused by the receipt of a just one unwanted catalog was sufficient "injury" to maintain a class action lawsuit. In Michaels, it was alleged that the retailer used the zip code to obtain customers' mailing addresses, and then sent unsolicited catalogs to those addresses. That was the extent of the "harm."
Thursday, April 18, 2013
Kansas Enacts Internet Affiliate Nexus Law
On April 16, 2013, Kansas Governor Sam Brownback signed SB 83, which includes a provision patterned after the New York Internet affiliate nexus law recently upheld by the New York Court of Appeals in Overstock.com v. New York Department of Taxation and Finance. The law amends the definition of “retailer doing business in the state” in K.S. § 79-3702(h)(1) to create a presumption of nexus if a retailer enters into an agreement with one or more Kansas residents under which the resident, for a commission or other consideration, refers customers to the retailer “by a link or an Internet website, by telemarketing, by an in-person oral presentation, or otherwise.” The presumption will apply so long as the cumulative gross receipts of the retailer for sales to Kansas customers purchasing through such referrals is at least $10,000 in the preceding 12 months. The presumption may be rebutted by a retailer submitting proof that the affiliates did not engage in activity that is significantly associated with the retailer’s ability to make and maintain a market in the state. Such a rebuttal “may consist” of sworn statements obtained from all affiliates that they did not solicit sales in the state on behalf of the retailer. The law takes effect 90 days after enactment, or on July 15, 2013. Ecommerce vendors should evaluate their Kansas affiliate relationships to determine how to respond to the law.
Wednesday, April 17, 2013
Real Estate Brokers vs Du Proprio. We Ain't Scared
Here's broker Patrice Groleau, owner of Old Montreal's McGill Immobilier, talking about why he isn't particularly bothered by the likes of For Sale By Owner (FSBO) sites like Du Proprio.
As he puts it "Some people like to cut their own lawn, paint their own house, do their own taxes and invest their own money," He has nothing against those who do, but he sees value in working with people who are the best trained and most professional at what they do.
Well put, M Groleau.
As he puts it "Some people like to cut their own lawn, paint their own house, do their own taxes and invest their own money," He has nothing against those who do, but he sees value in working with people who are the best trained and most professional at what they do.
Well put, M Groleau.
Tuesday, April 16, 2013
California "Right to Know" Act Would Require Companies to Disclose Personal Information to Consumers
A California legislator recently re-introduced a bill that, if passed, would further solidify California’s place at the forefront of privacy regulation among U.S. States. AB 1291, the “Right to Know Act of 2013,” would require businesses to provide to consumers, upon request, a copy of all personal information the company has collected and retained about that consumer, as well as information about any parties with whom that information is shared.
Under California’s existing “Shine the Light” law, California consumers already have a right to request, no more than once a year, a list of third parties with whom a company has shared personal information for direct marketing purposes, and a description of the information shared. Companies may currently comply with the law by allowing consumers to opt-out of having their information shared with third parties for direct-marketing purposes.
The proposed law would broaden a consumer’s right of access considerably, giving consumers a right to obtain a copy of any personal information a company retains about that customer, regardless of whether the information is shared with third party marketers. Significantly, this includes both information a company may collect from a customer in connection with a transaction (e.g. name, email address, mailing address, order history), as well as any information purchased from third-party data brokers and incorporated into the consumer profile maintained by the company (e.g. demographic information provided by data brokers).
It is too early to predict whether the bill will be passed by the California legislature, but it is sure to be controversial. Some privacy advocates have applauded the bill, arguing that consumers need greater transparency regarding data collection practices, and noting that Europeans already enjoy similar rights of access. (An Austrian law student made headlines several years ago when he requested his information from Facebook and received more than 1,200 pages of data). Industry groups, on the other hand, are justifiably concerned about the potential cost of complying with the bill’s mandate, and about potentially increased exposure to lawsuits. As currently written, the bill would allow private consumer lawsuits, which could make litigation attractive to class-action lawyers.
We will continue to monitor developments in this area. Whether or not this particular bill becomes law, it is not the first and will not be the last time we see a push for greater transparency around data collection, particularly with respect to the practice of “data enhancement” or using information about consumers provided by data brokers rather than the consumers, themselves. (See related blog posts, here and here).
Under California’s existing “Shine the Light” law, California consumers already have a right to request, no more than once a year, a list of third parties with whom a company has shared personal information for direct marketing purposes, and a description of the information shared. Companies may currently comply with the law by allowing consumers to opt-out of having their information shared with third parties for direct-marketing purposes.
The proposed law would broaden a consumer’s right of access considerably, giving consumers a right to obtain a copy of any personal information a company retains about that customer, regardless of whether the information is shared with third party marketers. Significantly, this includes both information a company may collect from a customer in connection with a transaction (e.g. name, email address, mailing address, order history), as well as any information purchased from third-party data brokers and incorporated into the consumer profile maintained by the company (e.g. demographic information provided by data brokers).
It is too early to predict whether the bill will be passed by the California legislature, but it is sure to be controversial. Some privacy advocates have applauded the bill, arguing that consumers need greater transparency regarding data collection practices, and noting that Europeans already enjoy similar rights of access. (An Austrian law student made headlines several years ago when he requested his information from Facebook and received more than 1,200 pages of data). Industry groups, on the other hand, are justifiably concerned about the potential cost of complying with the bill’s mandate, and about potentially increased exposure to lawsuits. As currently written, the bill would allow private consumer lawsuits, which could make litigation attractive to class-action lawyers.
We will continue to monitor developments in this area. Whether or not this particular bill becomes law, it is not the first and will not be the last time we see a push for greater transparency around data collection, particularly with respect to the practice of “data enhancement” or using information about consumers provided by data brokers rather than the consumers, themselves. (See related blog posts, here and here).
Tuesday, April 9, 2013
Despite Unconstitutionality, Kentucky Enacts Consumer Use Tax Notification Requirement for Out-Of-State Retailers
On April 4, 2013, Kentucky Governor Steve Beshear signed into law HB 440. The bill includes an amendment to Kentucky’s tax code which will impose a new requirement on every retailer that makes sales into Kentucky from outside the state and that is not required to collect Kentucky use tax. The law requires that these retailers provide a notice to their customers that Kentucky purchasers are required to report and pay use tax directly to the Kentucky Department of Revenue. A similar provision enacted in Colorado in 2010 as part of a broader notification and reporting bill was declared unconstitutional by a federal judge in Direct Marketing Association v. Huber, a case now on Appeal before the 10th Circuit Court of Appeals. Brann & Isaacson is counsel to the DMA in the Colorado litigation.
While three other states—Oklahoma, South Dakota, and Vermont—have similar consumer use tax notification requirements on the books, Kentucky’s new law is more aggressive:
First, on its face, Kentucky’s law requires retailers to use “the exact required use tax notification language” set forth in the statute concerning compliance with Kentucky law, and does not include a substantial compliance provision likes other states. According to the statute, even if a seller already has a notice provision for other states, that notice provision is only adequate for purposes of Kentucky law “if the consolidated notification meets the requirements of this section.” In other words, only the “exact” language of the Kentucky law, and not something substantially similar that a retailer adopts in response to another state’s notification law, appears to be allowed.
Second, the Kentucky statute expressly applies to “online auction Web sites.” It is not clear whether the requirement is meant to apply to the auction site itself, or whether it means that retailers selling through an auction site must arrange for display of the notice with respect to their own sales. But note that there is a small seller exemption that exempts any retailer with sales of less than $100,000 to Kentucky residents from having to comply with the statute. This may lessen the impact of the Kentucky law on Internet auction sites.
Third, while South Dakota and Vermont each provide that there can be no civil or criminal penalties for a retailer’s failure to comply with the use tax notification provision, Kentucky has no such non-enforcement clause. The Oklahoma statute is likewise silent on enforcement and, in practice, the Oklahoma notice law has not been enforced by the state’s Tax Commission. It remains to be seen whether the Kentucky Department of Revenue will bring enforcement actions, but nothing in the new law appears to prevent it.
For more details on the new Kentucky consumer use tax notification statute and how it might affect an out-of-state retailer’s website check-out screens and catalog order forms, ecommerce vendors and other remote sellers should consult their tax advisors.
While three other states—Oklahoma, South Dakota, and Vermont—have similar consumer use tax notification requirements on the books, Kentucky’s new law is more aggressive:
First, on its face, Kentucky’s law requires retailers to use “the exact required use tax notification language” set forth in the statute concerning compliance with Kentucky law, and does not include a substantial compliance provision likes other states. According to the statute, even if a seller already has a notice provision for other states, that notice provision is only adequate for purposes of Kentucky law “if the consolidated notification meets the requirements of this section.” In other words, only the “exact” language of the Kentucky law, and not something substantially similar that a retailer adopts in response to another state’s notification law, appears to be allowed.
Second, the Kentucky statute expressly applies to “online auction Web sites.” It is not clear whether the requirement is meant to apply to the auction site itself, or whether it means that retailers selling through an auction site must arrange for display of the notice with respect to their own sales. But note that there is a small seller exemption that exempts any retailer with sales of less than $100,000 to Kentucky residents from having to comply with the statute. This may lessen the impact of the Kentucky law on Internet auction sites.
Third, while South Dakota and Vermont each provide that there can be no civil or criminal penalties for a retailer’s failure to comply with the use tax notification provision, Kentucky has no such non-enforcement clause. The Oklahoma statute is likewise silent on enforcement and, in practice, the Oklahoma notice law has not been enforced by the state’s Tax Commission. It remains to be seen whether the Kentucky Department of Revenue will bring enforcement actions, but nothing in the new law appears to prevent it.
For more details on the new Kentucky consumer use tax notification statute and how it might affect an out-of-state retailer’s website check-out screens and catalog order forms, ecommerce vendors and other remote sellers should consult their tax advisors.
Thursday, April 4, 2013
New Best Practices for Trademark Owners in an Era of Ever Increasing gTLDs
As new domains become available, trademark owners with an internet presence should consider adopting new best practices to protect their marks. By way of background, a generic top level domain (“gTLD”) is the alpha numeric string that appears after the “dot” in a web site URL. The most ubiquitous such creature is the well-known “.com.” In the 1980s, the Internet Corporation for Assigned Names and Numbers (ICANN)–the mysterious not-for-profit corporation under contract with the US Department of Commerce to see to the proper functioning of the Internet’s system of addresses–created seven gTLDs: .com, .edu, .gov, .int, .mil, .net, and .org.. In years following the creation of the original gTLDs, discussions concerning additional gTLDs led to the selection in November 2000 of seven new gTLDs for introduction: .biz, .info, .name, .pro, .aero, .coop, and .museum. In 2003, ICANN initiated a process that resulted in the introduction of six new gTLDs (.asia, .cat, .jobs, .mobi, .tel and .travel). Most recently, .xxx has been added to the mix.
At each step along the way, the introduction of new gTLDs created anxiety for trademark owners concerned that each new gTLD opened up opportunities for domain name brokers to hijack or cybersquat on second level domains consisting of valuable trademarks. For instance, acme.com might find that there are cybersquatters hosting sites at acme.org or acme.asia. In response to these concerns, at each launch of a new set of gTLDs, ICANN implemented a so-called “sunrise” period, enabling trademark owners to get first dibs on any new domain name consisting of a trademark owner’s trademark.
During the late 1990’s and early 2000’s, this led to a “best practices” regime of domain name management that consisted primarily of trademark owners registering thousands of domain names consisting of their trademarks in an effort to prevent others from doing so.
Given developments in the gTLD area in the last two years, however, this approach is no longer workable.
In late 2013, ICANN is set to launch, at last count, 1,930 additional gTLDs. The process will include an enhanced version of the sunrise period, permitting trademark owners to register their trademarks in a clearing house system. Even so, the costs associated with registering even a single trademark in each new gTLD will geometrically multiply the domain name portfolio budgets of many brands.
So what is a diligent trademark owner to do? How about nothing? With the caveat that this suggestion is likely to be viewed as heretical among my fellow IP/Internet law attorneys, it is a notion that bears some consideration. At the beginning of the Internet era, the business community lacked insight into the manner in which users would come to navigate the web. In addition, few could have anticipated the sophistication that has now been achieved by search engines in matching user queries with relevant search results.
As a result of emerging user patterns, for example, virtually no user navigates to a website by entering the URL in the location bar of a browser, even if the user knows the URL. Rather, the user enters the common name for the brand or other item in the search box of a search engine. In turn, search engines ruthlessly index web sites based on relevance criteria that make it virtually impossible for a user seeking the Acme web site, for example, to be directed anyplace else. The massive proliferation of gTLDs will only accelerate the emphasis on this relevance analysis. Accordingly, it seems likely that the increasing proliferation of gTLDs will actually make it less important, not more, for brand owners to lock up every possible variation of their marks in connection with every gTLD. If so, brand owners may derive an unexpected benefit from the additional gTLDs in the form of smaller domain name registration budgets—not larger.
At each step along the way, the introduction of new gTLDs created anxiety for trademark owners concerned that each new gTLD opened up opportunities for domain name brokers to hijack or cybersquat on second level domains consisting of valuable trademarks. For instance, acme.com might find that there are cybersquatters hosting sites at acme.org or acme.asia. In response to these concerns, at each launch of a new set of gTLDs, ICANN implemented a so-called “sunrise” period, enabling trademark owners to get first dibs on any new domain name consisting of a trademark owner’s trademark.
During the late 1990’s and early 2000’s, this led to a “best practices” regime of domain name management that consisted primarily of trademark owners registering thousands of domain names consisting of their trademarks in an effort to prevent others from doing so.
Given developments in the gTLD area in the last two years, however, this approach is no longer workable.
In late 2013, ICANN is set to launch, at last count, 1,930 additional gTLDs. The process will include an enhanced version of the sunrise period, permitting trademark owners to register their trademarks in a clearing house system. Even so, the costs associated with registering even a single trademark in each new gTLD will geometrically multiply the domain name portfolio budgets of many brands.
So what is a diligent trademark owner to do? How about nothing? With the caveat that this suggestion is likely to be viewed as heretical among my fellow IP/Internet law attorneys, it is a notion that bears some consideration. At the beginning of the Internet era, the business community lacked insight into the manner in which users would come to navigate the web. In addition, few could have anticipated the sophistication that has now been achieved by search engines in matching user queries with relevant search results.
As a result of emerging user patterns, for example, virtually no user navigates to a website by entering the URL in the location bar of a browser, even if the user knows the URL. Rather, the user enters the common name for the brand or other item in the search box of a search engine. In turn, search engines ruthlessly index web sites based on relevance criteria that make it virtually impossible for a user seeking the Acme web site, for example, to be directed anyplace else. The massive proliferation of gTLDs will only accelerate the emphasis on this relevance analysis. Accordingly, it seems likely that the increasing proliferation of gTLDs will actually make it less important, not more, for brand owners to lock up every possible variation of their marks in connection with every gTLD. If so, brand owners may derive an unexpected benefit from the additional gTLDs in the form of smaller domain name registration budgets—not larger.
Subscribe to:
Posts (Atom)