Guide to Computer Law—Number 351 Practitioner’s Perspective by Holly K. Towle, J.D. Holly K. Towle is a partner with K & L Gates LLP, an international law firm, and chair of the firm’s E-merging Commerce group. Holly is located in the firm’s Seattle office and is the coauthor of The Law of Electronic Commercial Transactions (2003, A.S. Pratt & Sons). Holly.Towle@KLgates.com, 206-623-7580. Data Passes, Negative Options & Automatic Renewals, Oh My! New Rules for a New Year. New laws and rules that take effect in 2011 will alter what businesses must do to obtain consumer consent to electronic charges for goods or services. These changes will impact both Internet and offline commerce. They require website reprogramming and new disclosures to, and consents from, consumer customers engaging in transactions where: y customer billing data is passed from one Internet merchant to another in order to effect an initial sale and then a post-transaction sale, or y an Internet transaction includes a “free to pay conversion” or other negative option feature, or y an online or offline consumer transaction involves recurring charges to a payment card or deposit account, such as for payment of a periodic subscription or membership fee, or y combinations of the above. The new rules vary with the payment method used and can conflict or overlap. They are found in federal and state laws and regulations, as well as in payment system rules (e.g., ACH clearinghouse rules) and private rules such as those issued by payment card organizations. This article provides a heads-up regarding some of the basics of these new or newly enhanced requirements. Practitioner’s Perspective appears periodically in the monthly Report Letter of the CCH Guide to Computer Law. Various practitioners provideindepth analyses of significant issues and trends. New Federal Law: The Restore Online Shoppers’ Confidence Act In December 2010, Congress enacted The Restore Online Shopper’s Confidence Act (“ROSCA”) to regulate “data passes” and the use of negative option features. The Federal Trade Commission will be the regulator for ROSCA, and violations of the ROSCA are also deemed to violate the FTC’s unfair or deceptive acts or practices rules.1 Before ROSCA, the FTC was already acting with respect to some of these practices under its powers to regulate unfair acts or deceptive practices and, with respect to negative options and “pre-acquired account information, its Telemarketing Sales Rule. ROSCA codifies and expands some of those FTC actions or rules and applies aspects of them, as well as new rules, to Internet transactions. 1. Data Passes. Like telemarketers before them, some Internet merchants had entered into mutually beneficial arrangements—colloquially known as “data passes”—by which customer payment card and billing information was CCH GUIDE TO COMPUTER LAW transmitted between them to help facilitate sequential sales. Having collected consumer billing data as part of an initial online transaction, a website operator would permit an independent seller or marketing partner to advertise its own products or services during, or immediately after, an online transaction. If the consumer elected to consummate this second transaction, the initial merchant would “pass” the consumer’s billing data to the second seller, and would sometimes make a commission on the transaction. Congress was concerned that data passes, especially when combined with other aggressive marketing practices, had the potential to deceive customers—leaving them unaware of the fact that they had entered into a second, separate purchase. Second purchases attracting the most regulatory attention involve continuing charges such as automatically charging the consumer’s credit or debit card for a monthly or other periodic fee for membership in a club, but ROSCA also covers one-time and irregular ongoing charges. A. Obligations of Post-transaction Third Party Sellers. ROSCA prohibits data passes by imposing new obligations on what it calls a “post-transaction third party seller” (“Post Seller”). Such persons are unaffiliated sellers defined as follows (emphasis added): “Post-transaction third party seller” means a person that— (A) sells, or offers for sale, any good or service on the Internet; (B) solicits the purchase of such goods or services on the Internet through an initial merchant after the consumer has initiated a transaction with the initial merchant; and (C) is not— (i) the initial merchant; (ii) a subsidiary or corporate affiliate of the initial merchant; or (iii) a successor of an entity described in clause (i) or (ii). ROSCA makes it unlawful for a Post Seller to charge or attempt to charge any consumer’s credit or debit card, bank account, or “other financial account” for any good or service sold in a transaction effected on the Internet, unless the Post Seller does two things: 1. before obtaining billing information, discloses all material terms clearly and conspicuously, including particular items listed in ROSCA (generally, the description and cost of goods or services and particular lack of affiliation with initial merchant); and 2. obtains the consumer’s “express informed consent” for the charge by doing two things: y obtaining from the consumer (i.e., not from the initial merchant) particular billing and contact informa- NUMBER 351 y tion (full account number to be charged, name, address and means to contact the consumer), and requiring the consumer to “perform an additional affirmative action,” such as checking a box, that indicates the consumer’s consent to be charged the disclosed amount. The apparent goals are to force realization that a second transaction is occurring (including by making the consumer re-enter billing information), to disclose material terms of that transaction as well as amounts to be charged, and to require the consumer to take a positive step to authorize a charge of that disclosed amount. ROSCA contains additional details and definitions2 and FTC regulations may contain more. Even as is, however, the increased programming costs and “user experience” inherent in this structure may significantly discourage unaffiliated secondary sales. ROSCA leaves several key terms undefined. For example, ROSCA does not define “consumer,” so it is not clear whether ROSCA applies only to persons acting primarily for personal, family, or household purposes (the most traditional federal definition), or whether it applies to “individuals” or “natural persons” (also among federal definitions) who act for any purpose, including business purposes. The answer is important because ROSCA includes references such as to the “consumer’s information” or the “consumer’s card”— absent a contrary merchant agreement, such information or card can belong to an individual who is a sole proprietor, but the question becomes more complex when the information or card belongs to an entity (such as a corporation) that acts through an employee or agent who is an individual. B. Prohibitions on Initial Merchant. ROSCA also prohibits the initial merchant from making a data pass. An initial merchant is a person that has obtained a consumer’s billing information directly from the consumer through an Internet transaction initiated by the consumer. That merchant may not pass account numbers or “other billing information” that is used for a charge by a Post Seller. “Billing information” is not defined, so ROSCA creates an ambiguity regarding what information it covers beyond account numbers. However, it is clear that ROSCA only precludes data passes to a Post-Seller. Thus, sharing with a third party not within that definition (such as a payment processor not selling a service or good to the consumer) is not covered by ROSCA, although such may be covered by relevant privacy policies, payment processing contracts, payment card organization rules, payment system rules and other applicable law. C. Regulation E. ROSCA expressly states that it does not affect federal Regulation E which implements the federal Electronic Funds Transfer Act for consumer accounts (defined in that regulation, as accounts of natural persons “primarily for personal, family or household purposes”). CCH GUIDE TO COMPUTER LAW Regulation E pertains to electronic fund transfers (“EFT”), including all debit card transactions. It would be relevant to ROSCA transactions charged to a debit card or using an EFT debited directly to the consumer’s deposit account (e.g., an ACH debit). To illustrate, assume a Post Seller complies with ROSCA in order to obtain a ROSCA consent for a preauthorized, monthly charge of a subscription or membership fee to a consumer’s debit card or bank account—is compliance with ROSCA enough? No. Regulation E rules regarding preauthorized transfers will apply in addition to ROSCA. Those rules are not the same as ROSCA and include, for example, (a) a requirement for a written authorization that is signed or similarly authenticated by the consumer, (b) provision of a copy of that authorization to the consumer, (c) a “stop payment” right, and (d) written notice to the consumer if the amount to be charged in one period varies from the previous charge, which notice may trigger a consumer protection rule under the Electronic Signatures in Global and National Commerce Act.3 Complying only with ROSCA will not meet all of Regulation E and ROSCA so warns by stating that Regulation E is not superseded, modified, or affected. Similarly, if the customer’s deposit account will be debited directly, rules of the National Automated Clearing House Association (“NACHA”) will apply. ACH rules do not apply to payments made via a debit card, but do apply to direct debits of deposit accounts, including regularly or irregularly recurring direct debits. If payment is made by credit card, card organization rules for credit cards will apply, but not ACH rules. For example, both Visa and MasterCard have stated that their rules have traditionally prohibited data passes and Visa issued a rule expressly regulating them shortly before ROSCA was enacted. 2. Negative Options. ROSCA also makes it unlawful for “any person” to charge or attempt to charge a consumer for goods or services sold in an Internet transaction that has a “negative option feature,” unless that person meets certain conditions. That person must disclose all material terms before taking billing information, obtain a particular form of consumer consent, and provide a simple mechanism for the consumer to stop the recurring charges. ROSCA points to the definition in the FTC’s Telemarketing Sales Rule: Negative option feature means, in an offer or agreement to sell or provide any goods or services, a provision NUMBER 351 under which the customer’s silence or failure to take an affirmative action to reject goods or services or to cancel the agreement is interpreted by the seller as acceptance of the offer.4 A common Internet example of such offers is the “free trial” offer – known as the “free-to-pay” conversion—by which a consumer begins getting billed after an initial “free” introductory offer. The ROSCA rule is this (emphasis added): NEGATIVE OPTION MARKETING ON THE INTERNET. It shall be unlawful for any person to charge or attempt to charge any consumer for any goods or services sold in a transaction effected on the Internet through a negative option feature (as defined in the Federal Trade Commission’s Telemarketing Sales Rule in part 310 of title 16, Code of Federal Regulations), unless the person— (1) provides text that clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information; (2) obtains a consumer’s express informed consent before charging the consumer’s credit card, debit card, bank account, or other financial account for products or services through such transaction; and (3) provides simple mechanisms for a consumer to stop recurring charges from being placed on the consumer’s credit card, debit card, bank account, or other financial account.5 An undisclosed or poorly disclosed negative option feature used to generate revenues of $459,540,000 is described in U.S. v. Warshak,6 a 2010 criminal case. The Sixth Circuit there upheld forfeiture to the government of the entirety of those revenues as proceeds, resulting directly or indirectly, from unlawful activities centered on a negative option program structured to confuse customers and avoid certain credit card organization rules. New State Laws and Other Rules: Recurring Payments Federal Regulation E, payment card organization rules and/or ACH Rules have long contained requirements for preauthorized charges to a debit or credit card or deposit account. What is new is twofold: (a) states have gotten into this area; and (b) card organization rules have changed. 1. California Bus. & Prof. Code § 17600-17606. A California statute that became effective December 1, 2010, impacts formation, online or offline, of consumer contracts when services will be continuous or automatically renewed at the end of a definite term. An example is an offline health club membership or an online subscription for delivery of items CCH GUIDE TO COMPUTER LAW NUMBER 351 such as a physical book, where the provider automatically charges the membership or subscription renewal to a credit or debit card or deposit account. It includes “free-to-pay” conversion offers. Absent compliance, the statute will convert the provision of services or goods into an “unconditional gift.” In general, the statute requires: one court has used a high rate of “chargebacks” under such rules as evidence of consumer confusion for purposes of an FTC lawsuit alleging unfair acts or deceptive practices.7 As noted, there are also other payment system rules, such as NACHA rules, for “standing” authorizations for debits or credits to customer accounts. y Providing a clear and conspicuous disclosure before the contract is made, compliance with placement rules, and providing particular disclosure text (e.g., stating contract is continuous until cancellation, cancellation policy, amount and method for recurring charges and known changes, length of service, and any minimum purchase obligation); y Providing a retainable, particular acknowledgement of and disclosures regarding the customer’s order; y Obtaining the consumer’s “affirmative consent” to the agreement; and y Providing a “clear and conspicuous” notice in a manner capable of retention, of any material change and information regarding how to cancel before the change. Conclusion Several recent FTC enforcement actions or court decisions deal with combinations of issues addressed in the above laws or rules. What has changed is that ROSCA, as a matter of federal law, now expressly prohibits in Internet transactions data passes of account numbers and other billing information and regulates negative option features. States have also begun to regulate “recurring” consumer transactions, as evidenced by the new California law. And last but not least, there are ever-changing credit or debit card organization and payment system rules that can be triggered depending upon the payment method and processing path used. The sum of those parts is a lot to juggle, so it looks like the New Year will be challenging. The statute makes it unlawful to make a charge absent the consumer’s affirmative consent. It also contains several exceptions (such as for regulated insurance entities and financial institutions) as well as defined terms. It should be reviewed for details. Endnotes 2. Card Organization or Other Rules. There are detailed card organization rules for “recurring transactions” and “continuity programs” which, generally speaking, allow charges by specified persons to a debit or credit card on a recurring basis, if rules are met which detail disclosures, notices, authorization, retention, and so on. Although card organization rules are privately imposed by contract, at least 4 16 C.F.R. § 310.2(u). 5 ROSCA at § 4. 6 U.S. v. Warshak --- F.3d ----, 2010 WL 5071766 (6th Cir. 1 See ROSCA (S.B. 3386) at § 5(a). 2 See e.g., ROSCA (S.3386) at § 3(a). 3 For a discussion of this rule, see Chapter 11.06[2] of Towle, Holly, The Law of Electronic Commercial Transactions (2003-2010, A.S. Pratt & Sons). Ohio). 7 See, e.g., FTC v. Grant Connect, LLC, 2009 WL 3074346 (D. Nev. 2009).