Guide to Computer Law—Number 351
Practitioner’s Perspective
by Holly K. Towle, J.D.
Holly K. Towle is a
partner with K & L Gates
LLP, an international law
firm, and chair of the firm’s E-merging
Commerce group. Holly is located in the firm’s
Seattle office and is the coauthor of The Law
of Electronic Commercial Transactions (2003,
A.S. Pratt & Sons). Holly.Towle@KLgates.com,
206-623-7580.
Data Passes, Negative Options &
Automatic Renewals, Oh My! New
Rules for a New Year.
New laws and rules that take effect in 2011 will alter what businesses must
do to obtain consumer consent to electronic charges for goods or services.
These changes will impact both Internet and offline commerce. They
require website reprogramming and new disclosures to, and consents from,
consumer customers engaging in transactions where:
y customer billing data is passed from one Internet merchant to another
in order to effect an initial sale and then a post-transaction sale, or
y an Internet transaction includes a “free to pay conversion” or other
negative option feature, or
y an online or offline consumer transaction involves recurring charges to
a payment card or deposit account, such as for payment of a periodic
subscription or membership fee, or
y combinations of the above.
The new rules vary with the payment method used and can conflict or
overlap. They are found in federal and state laws and regulations, as well as
in payment system rules (e.g., ACH clearinghouse rules) and private rules
such as those issued by payment card organizations. This article provides
a heads-up regarding some of the basics of these new or newly enhanced
requirements.
Practitioner’s Perspective appears periodically
in the monthly Report Letter of the CCH Guide to
Computer Law. Various practitioners provideindepth analyses of significant issues and trends.
New Federal Law: The Restore Online Shoppers’
Confidence Act
In December 2010, Congress enacted The Restore Online Shopper’s
Confidence Act (“ROSCA”) to regulate “data passes” and the use of negative
option features. The Federal Trade Commission will be the regulator for
ROSCA, and violations of the ROSCA are also deemed to violate the FTC’s
unfair or deceptive acts or practices rules.1 Before ROSCA, the FTC was
already acting with respect to some of these practices under its powers to
regulate unfair acts or deceptive practices and, with respect to negative
options and “pre-acquired account information, its Telemarketing Sales
Rule. ROSCA codifies and expands some of those FTC actions or rules and
applies aspects of them, as well as new rules, to Internet transactions.
1. Data Passes.
Like telemarketers before them, some Internet merchants had entered
into mutually beneficial arrangements—colloquially known as “data
passes”—by which customer payment card and billing information was
CCH GUIDE TO COMPUTER LAW
transmitted between them to help facilitate sequential
sales. Having collected consumer billing data as part of an
initial online transaction, a website operator would permit
an independent seller or marketing partner to advertise its
own products or services during, or immediately after, an
online transaction. If the consumer elected to consummate
this second transaction, the initial merchant would “pass”
the consumer’s billing data to the second seller, and would
sometimes make a commission on the transaction.
Congress was concerned that data passes, especially when
combined with other aggressive marketing practices, had
the potential to deceive customers—leaving them unaware
of the fact that they had entered into a second, separate
purchase. Second purchases attracting the most regulatory
attention involve continuing charges such as automatically
charging the consumer’s credit or debit card for a monthly or
other periodic fee for membership in a club, but ROSCA also
covers one-time and irregular ongoing charges.
A. Obligations of Post-transaction Third Party Sellers. ROSCA
prohibits data passes by imposing new obligations on what
it calls a “post-transaction third party seller” (“Post Seller”).
Such persons are unaffiliated sellers defined as follows
(emphasis added):
“Post-transaction third party seller” means a person
that—
(A) sells, or offers for sale, any good or service on the
Internet;
(B) solicits the purchase of such goods or services on
the Internet through an initial merchant after the
consumer has initiated a transaction with the initial
merchant; and
(C) is not— (i) the initial merchant; (ii) a subsidiary
or corporate affiliate of the initial merchant; or (iii) a
successor of an entity described in clause (i) or (ii).
ROSCA makes it unlawful for a Post Seller to charge or
attempt to charge any consumer’s credit or debit card, bank
account, or “other financial account” for any good or service
sold in a transaction effected on the Internet, unless the Post
Seller does two things:
1. before obtaining billing information, discloses all material
terms clearly and conspicuously, including particular
items listed in ROSCA (generally, the description and
cost of goods or services and particular lack of affiliation
with initial merchant); and
2. obtains the consumer’s “express informed consent” for
the charge by doing two things:
y
obtaining from the consumer (i.e., not from the initial
merchant) particular billing and contact informa-
NUMBER 351
y
tion (full account number to be charged, name, address and means to contact the consumer), and
requiring the consumer to “perform an additional
affirmative action,” such as checking a box, that indicates the consumer’s consent to be charged the
disclosed amount.
The apparent goals are to force realization that a second
transaction is occurring (including by making the consumer
re-enter billing information), to disclose material terms of that
transaction as well as amounts to be charged, and to require
the consumer to take a positive step to authorize a charge of
that disclosed amount. ROSCA contains additional details
and definitions2 and FTC regulations may contain more.
Even as is, however, the increased programming costs and
“user experience” inherent in this structure may significantly
discourage unaffiliated secondary sales.
ROSCA leaves several key terms undefined. For example,
ROSCA does not define “consumer,” so it is not clear
whether ROSCA applies only to persons acting primarily for
personal, family, or household purposes (the most traditional
federal definition), or whether it applies to “individuals” or
“natural persons” (also among federal definitions) who act
for any purpose, including business purposes. The answer
is important because ROSCA includes references such as to
the “consumer’s information” or the “consumer’s card”—
absent a contrary merchant agreement, such information or
card can belong to an individual who is a sole proprietor, but
the question becomes more complex when the information
or card belongs to an entity (such as a corporation) that acts
through an employee or agent who is an individual.
B. Prohibitions on Initial Merchant. ROSCA also prohibits
the initial merchant from making a data pass. An initial
merchant is a person that has obtained a consumer’s billing
information directly from the consumer through an Internet
transaction initiated by the consumer. That merchant may
not pass account numbers or “other billing information” that
is used for a charge by a Post Seller.
“Billing information” is not defined, so ROSCA creates an
ambiguity regarding what information it covers beyond
account numbers. However, it is clear that ROSCA only
precludes data passes to a Post-Seller. Thus, sharing with
a third party not within that definition (such as a payment
processor not selling a service or good to the consumer) is
not covered by ROSCA, although such may be covered by
relevant privacy policies, payment processing contracts,
payment card organization rules, payment system rules and
other applicable law.
C. Regulation E. ROSCA expressly states that it does not
affect federal Regulation E which implements the federal
Electronic Funds Transfer Act for consumer accounts
(defined in that regulation, as accounts of natural persons
“primarily for personal, family or household purposes”).
CCH GUIDE TO COMPUTER LAW
Regulation E pertains to electronic fund transfers (“EFT”),
including all debit card transactions. It would be relevant
to ROSCA transactions charged to a debit card or using an
EFT debited directly to the consumer’s deposit account
(e.g., an ACH debit).
To illustrate, assume a Post Seller complies with ROSCA
in order to obtain a ROSCA consent for a preauthorized,
monthly charge of a subscription or membership fee to a
consumer’s debit card or bank account—is compliance with
ROSCA enough? No.
Regulation E rules regarding preauthorized transfers will
apply in addition to ROSCA. Those rules are not the same
as ROSCA and include, for example, (a) a requirement for a
written authorization that is signed or similarly authenticated
by the consumer, (b) provision of a copy of that authorization
to the consumer, (c) a “stop payment” right, and (d) written
notice to the consumer if the amount to be charged in one
period varies from the previous charge, which notice may
trigger a consumer protection rule under the Electronic
Signatures in Global and National Commerce Act.3
Complying only with ROSCA will not meet all of Regulation
E and ROSCA so warns by stating that Regulation E is not
superseded, modified, or affected.
Similarly, if the customer’s deposit account will be debited
directly, rules of the National Automated Clearing House
Association (“NACHA”) will apply. ACH rules do not apply
to payments made via a debit card, but do apply to direct
debits of deposit accounts, including regularly or irregularly
recurring direct debits. If payment is made by credit card, card
organization rules for credit cards will apply, but not ACH
rules. For example, both Visa and MasterCard have stated
that their rules have traditionally prohibited data passes and
Visa issued a rule expressly regulating them shortly before
ROSCA was enacted.
2. Negative Options.
ROSCA also makes it unlawful for “any person” to
charge or attempt to charge a consumer for goods
or services sold in an Internet transaction that has a
“negative option feature,” unless that person meets
certain conditions. That person must disclose all material terms before taking billing information, obtain
a particular form of consumer consent, and provide a
simple mechanism for the consumer to stop the recurring charges.
ROSCA points to the definition in the FTC’s Telemarketing
Sales Rule:
Negative option feature means, in an offer or agreement
to sell or provide any goods or services, a provision
NUMBER 351
under which the customer’s silence or failure to take an
affirmative action to reject goods or services or to cancel the
agreement is interpreted by the seller as acceptance of
the offer.4
A common Internet example of such offers is the “free trial”
offer – known as the “free-to-pay” conversion—by which
a consumer begins getting billed after an initial “free”
introductory offer.
The ROSCA rule is this (emphasis added):
NEGATIVE OPTION MARKETING ON THE
INTERNET.
It shall be unlawful for any person to charge or attempt
to charge any consumer for any goods or services
sold in a transaction effected on the Internet through
a negative option feature (as defined in the Federal
Trade Commission’s Telemarketing Sales Rule in part
310 of title 16, Code of Federal Regulations), unless the
person—
(1) provides text that clearly and conspicuously
discloses all material terms of the transaction before
obtaining the consumer’s billing information;
(2) obtains a consumer’s express informed consent
before charging the consumer’s credit card, debit card,
bank account, or other financial account for products or
services through such transaction; and
(3) provides simple mechanisms for a consumer to stop
recurring charges from being placed on the consumer’s
credit card, debit card, bank account, or other financial
account.5
An undisclosed or poorly disclosed negative option feature
used to generate revenues of $459,540,000 is described in U.S.
v. Warshak,6 a 2010 criminal case. The Sixth Circuit there
upheld forfeiture to the government of the entirety of those
revenues as proceeds, resulting directly or indirectly, from
unlawful activities centered on a negative option program
structured to confuse customers and avoid certain credit card
organization rules.
New State Laws and Other Rules: Recurring
Payments
Federal Regulation E, payment card organization rules
and/or ACH Rules have long contained requirements for
preauthorized charges to a debit or credit card or deposit
account. What is new is twofold: (a) states have gotten into
this area; and (b) card organization rules have changed.
1. California Bus. & Prof. Code § 17600-17606. A California
statute that became effective December 1, 2010, impacts
formation, online or offline, of consumer contracts when
services will be continuous or automatically renewed at the
end of a definite term. An example is an offline health club
membership or an online subscription for delivery of items
CCH GUIDE TO COMPUTER LAW
NUMBER 351
such as a physical book, where the provider automatically
charges the membership or subscription renewal to a credit
or debit card or deposit account. It includes “free-to-pay”
conversion offers. Absent compliance, the statute will convert
the provision of services or goods into an “unconditional
gift.” In general, the statute requires:
one court has used a high rate of “chargebacks” under such
rules as evidence of consumer confusion for purposes of an
FTC lawsuit alleging unfair acts or deceptive practices.7 As
noted, there are also other payment system rules, such as
NACHA rules, for “standing” authorizations for debits or
credits to customer accounts.
y Providing a clear and conspicuous disclosure before the
contract is made, compliance with placement rules, and
providing particular disclosure text (e.g., stating contract
is continuous until cancellation, cancellation policy,
amount and method for recurring charges and known
changes, length of service, and any minimum purchase
obligation);
y Providing a retainable, particular acknowledgement of
and disclosures regarding the customer’s order;
y Obtaining the consumer’s “affirmative consent” to the
agreement; and
y Providing a “clear and conspicuous” notice in a manner
capable of retention, of any material change and
information regarding how to cancel before the change.
Conclusion
Several recent FTC enforcement actions or court decisions
deal with combinations of issues addressed in the above laws
or rules. What has changed is that ROSCA, as a matter of
federal law, now expressly prohibits in Internet transactions
data passes of account numbers and other billing information
and regulates negative option features. States have also
begun to regulate “recurring” consumer transactions, as
evidenced by the new California law. And last but not least,
there are ever-changing credit or debit card organization and
payment system rules that can be triggered depending upon
the payment method and processing path used. The sum of
those parts is a lot to juggle, so it looks like the New Year will
be challenging.
The statute makes it unlawful to make a charge absent the
consumer’s affirmative consent. It also contains several
exceptions (such as for regulated insurance entities and
financial institutions) as well as defined terms. It should be
reviewed for details.
Endnotes
2. Card Organization or Other Rules. There are detailed
card organization rules for “recurring transactions” and
“continuity programs” which, generally speaking, allow
charges by specified persons to a debit or credit card on a
recurring basis, if rules are met which detail disclosures,
notices, authorization, retention, and so on. Although card
organization rules are privately imposed by contract, at least
4 16 C.F.R. § 310.2(u).
5 ROSCA at § 4.
6 U.S. v. Warshak --- F.3d ----, 2010 WL 5071766 (6th Cir.
1 See ROSCA (S.B. 3386) at § 5(a).
2 See e.g., ROSCA (S.3386) at § 3(a).
3 For a discussion of this rule, see Chapter 11.06[2] of Towle,
Holly, The Law of Electronic Commercial Transactions
(2003-2010, A.S. Pratt & Sons).
Ohio).
7 See, e.g., FTC v. Grant Connect, LLC, 2009 WL 3074346 (D. Nev.
2009).