Advising e-Commerce Business Startups: Beyond the Crib Sheet

In the virtual world, a business owner may face a number of additional problems, including:

• Copyright infringement;
• Trademark infringement;
• Intellectual property ownership;
• Libel and slander;
• Identity theft;
• Jurisdictional issues;
• Invasion of privacy; and
• Breach of confidentiality.

And those are just a relative few of the problems from a litany of possible pitfalls the e-commerce entrepreneur faces.

If setting up an online business is like building a home, then the regulatory framework governing how you run it should be its architectural blueprint.

In the first part of this article, we examined the major 'set-up' considerations, such as copyright infringement, domain name disputes, and terms of service and privacy agreements.

In this installment, we move beyond basic considerations to what happens past the initial stage of construction, when a business starts to interact with its consumers or subscribers. In other words, how should you prep your home for potential visitors?

The Children's Online Privacy Protection Act

In April 2000, the U.S. government enacted the Children's Online Privacy Protection Act ('COPPA'), legislation intended to address widespread concern about the safety of children online. COPPA governs how online operators must handle children and personal information concerning children. The Act applies if the online site is directed toward children under 13 ('children,' in this article) and collects personally identifiable information from them, or is directed toward a general audience but whose operators know they collect personally identifiable information from children. The Federal Trade Commission ('FTC' at www.ftc.gov) enforces COPPA.

The FTC considers several factors to determine whether a site is directed toward children, including:

• The subject matter;
• Video and audio content;
• The age of the models on the site;
• Language used;
• Whether advertising on the Web site is directed to children;
• Information regarding the age of the actual or intended audience; and
• Whether the site uses animated characters or other child-oriented features.

It is not a requirement that the site be solely directed to children for COPPA to apply; some connection, even if minimal, might bring the site within COPPA's ambit. For example, if a small portion of a site is targeted at children, then the Act applies to that content. Similarly, the Act covers a site that is generally directed toward adults but of which the operators know that they collect information from children.

'Personal identifiable information' under COPPA includes information such as:

• Full name;
• Home address;
• e-Mail address;
• Telephone number; and
• Similar information that would allow site operators to identify the child.

COPPA also covers other information collected through cookies and different tracking devices if such information can be linked to an identifiable child.

If an entity does collect personal information from children, then it must do the following:

• Adopt a COPPA-friendly privacy policy and post conspicuous links on its site linking to this information; and
• Obtain 'verifiable' parental consent from the child's parent.

The policy and notice requirement is outlined in the Act. The law states that the notice data must include such information as:

• The name and contact information of all operators, or one dedicated operator, handling information provided from children;
• A description of the information that is obtained from children;
• How the operator will be using that information; and
• Whether that information will be disclosed to third parties.

A parent should also be given the option of controlling the disclosure of such information by either having the ability to delete it or to inform the entity that the parent doesn't want the information disclosed to third parties. The information collected must also not exceed what would be reasonably required to have the child participate in the online activity. And the policy must be phrased in easy-to-understand language, and a link to it must be posted on the site's home page, as well as on any other page that collects information from children.

COPPA leaves open what would be considered a method of obtaining 'verifiable' parental consent. The following methods, however, could be used in verifying information provided by a parent:

• An e-mail with a valid digital signature;
• A signed consent form sent to the site's operator via postal mail or facsimile;
• A credit card used in connection with a transaction; or
• A call through a toll-free number staffed by trained professionals who would presumably collect the verifiable information.

A violation of COPPA can lead to considerable civil penalties ' the FTC fined Mrs. Fields Cookies a whopping $100,000 and Hershey Foods $85,000 for failure to comply with the Act's requirement. So, if a company has any reason to believe it is, or could potentially be, marketing to children under 13, then it should seriously consider incorporating features meeting the Act's requirements into its site.

The Child Online Protection Act

Often confused with COPPA, the Child Online Protection Act ('COPA') was passed by Congress and signed into law in October 1998. COPA establishes criminal penalties for any 'commercial' distribution of material over the Internet deemed to be 'harmful to minors.' Speech that is covered by the Act broadly includes any:

• Communication;
• Picture
• Graphic-image file;
• Article;
• Recording; or
• Writing.

It defines obscene material as that which the 'average person' would find as appealing to the 'prurient interest,' or that depicts children engaging in lewd or sexual acts, and taken as a whole lacks any artistic, literary, political or scientific value.

COPA has been heavily criticized by free-speech advocates as an overly broad legislation that gives a court too much leeway to determine what constitutes the prevalent 'community standard,' ' which is especially problematic considering the Internet's global reach. The Act, which has been making its way through federal courts since its inception, has been challenged constitutionality on numerous fronts by free-speech advocates. In June 2004, in Ashcroft v. American Civil Liberties Union (542 U.S. 656), the Supreme Court upheld the Third Circuit court's finding that the Act is an unconstitutional restraint on protected speech. The Supreme Court referred the case back to the district court for a trial; the case awaits resolution. If the Act survives its judicial challenge, it could create a background for the most conservative jurisdiction to set the standard for the entire United States, or globally. Stay tuned.

Section 230 of The Communication Decency Act

The Communication Decency Act ('CDA') was passed in 1996 and immediately subjected to constitutional challenges ' the same constitutional challenges to which COPA would be subjected. From these challenges, Section 230 of the CDA survived unscathed and has become a valuable shield against legal challenges on Internet intermediaries ever since.

Section 230 states, in relevant part, that '[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.' It also preempts any state law to the contrary. In other words, an Internet intermediary will not be liable for the acts of its users, even if such acts amount to an actionable tort such as defamation. A Web site owner could, then, let users post whatever material they wish with complete impunity ' aside from public-relations concerns.

The key to Section 230 is that the material is posted by someone other than the Internet intermediary. See, e.g., Batzel v. Smith, 333 F.3d 1018 (9^th Cir. 2003). So, then, one might well ask, what happens if you suddenly start editing your users' posts or start posting defamatory materials to your Web site? In those instances, your actions may fall outside Section 230's shield ' if your acts are more than minor editing. Unfortunately, courts have yet to determine what is considered protected editing under Section 230, as opposed to unprotected authorship that would categorizing you as an 'information content provider.' Wherever the line is drawn, it remains clear that if someone other than the Internet intermediary posted the information, Section 230 will provide a broad shield from liability.

The CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography and Marketing Act ('CAN-SPAM') became effective on Jan. 1, 2004, and covers all e-mail whose primary purpose is advertising, or promoting a commercial product or service. The Act is meant to address 'spamming' ' or unsolicited e-mails that annoyingly clobber our e-mailboxes.

The Federal Trade Commission, the Department of Justice ('DOJ' at www.justice.gov), and other federal and state agencies have authority to enforce the Act with civil and criminal penalties. CAN-SPAM has several requirements, including the following:

• Misleading information. The Act bans all types of misleading or false information that can be included in the 'to' and 'from' fields of the
  e-mail, and in the subject line. The e-mail must accurately identify its recipient and author.
• Opt-out method. All e-mails covered by the Act must provide the recipient with the opportunity to opt out of receiving future e-mails. In other words, there must be a mechanism through which the recipient can inform the author of the e-mail that such e-mails are unwanted, and the author must abide by that request. The Act gives the author a safe-harbor of 10 days before honoring such requests. It also does not allow the author to resend an e-mail to the same address from another entity, and does not allow an entity to sell such e-mail addresses to another entity without including the opt-out information.
• Advertising identification. CAN-SPAM also requires that all e-mail messages the Act covers to have a clear and conspicuous notice that the messages is an advertisement and that all recipients can opt-out of receiving further messages; e-mail message must also include valid physical postal address.

Penalties for failure to comply with the Act's requirement are stiff, possibly running up to $11,000. In some instances, the DOJ can seek criminal penalties, including imprisonment, for spammers of massive proportions, such as commercial e-mailers that register multiple e-mail accounts or domain names falsifying their information, or spammers that use a computer without authorization to send commercial e-mails covered by the Act.

Most businesses will rely on e-mail marketing solutions such as Constant Contact or Lyris that will facilitate compliance with the Act. It's important for all such businesses to keep track of opt-outs so that no unauthorized e-mail reaches a recipient when the mailing list is either transferred or updated. Some businesses prefer to have an opt-in method; although an opt-in is not a legal requirement, it may be a viable option for highly regulated fields such as the legal, health-care and financial industries.

International Privacy Concerns

Although most businesses include privacy notices within their site, some consideration must be given to the privacy laws of foreign jurisdictions in which the entity is doing or planning on doing business. Privacy policies may vary vastly between countries or continents. Consider, for instance, the European Union ('EU') and Japan as examples of comprehensive privacy regulations (http://europa.eu and www.kantei.go.jp/foreign/link/links_e.html).

The EU enacted in 1998 the European Union Directive on Data Protection ('Directive') that established a minimum standard of data privacy for personal information collected from EU citizens. The Directive requires that any entity that collects personally identifiable information from EU citizens provide the following information to such EU citizens:

• How the information will be used by the collecting entity;
• Access to such information to provide opportunity for potential edits; and
• Notice, as well as the opportunity, to opt-out of having this information transferred to a third party.

The Directive requires that entities located in non-EU countries provide an 'adequate' level of protection for data collected from EU citizens. In order to comply with such a requirement, the United States entered into an agreement with the EU and developed the safe-harbor program (see, www.export.gov/safeharbor/SH_Overview.asp for more information). The safe-harbor program allows companies in the United States to 'certify' that they have complied with the requirements of the Directive rather than having an EU state determine otherwise.

To qualify under the safe-harbor program, a company must demonstrate that:

• It has complied with the safe-harbor principles;
• Such compliance has been verified by an outside party and that the company has implemented an internal dispute-resolution mechanism; and
• It has submitted a letter to the U.S. Department of Commerce (www.commerce.gov) explaining the same.

Safe harbor principles with which a company must comply include the following.

• Notice. An entity must explain exactly why it is collecting personal information and what it is planning on doing with the information. Typical disclosure requirements include whether the information will be distributed to third parties, how the EU subject can contact the company in the event of a complaint and whether the company has a system in place to limit the dissemination of personal information. This disclosure must be provided when the information is initially collected, or soon thereafter.
• Choice. An entity must also provide an opportunity for the EU subject to opt-out of having information disclosed to a third party or used for purposes incompatible with the uses envisioned when the information was originally collected.
• Transfers. All transfers to third parties must comply with the notice and choice requirements as explained above, or require that such third party comply with the safe-harbor principles.
• Security. Companies must take reasonable precautions to protect information that EU subjects provide.
• Data integrity. The company must use personal information for the relevant purposes for which it was collected.
• Access. Personal information must be accessible to the EU subjects from which it was collected, and they must have an opportunity to edit or delete it as necessary.
• Enforcement. An entity must provide an internal enforcement procedure that would process individual complaints and disputes due to the company's failure to abide by the safe-harbor principles.

A number of third-party assessment programs are available to facilitate compliance with the safe-harbor program, including BBBOnline (www.bbbonline.org), TRUSTe (www.truste.org) or Webtrust (www.webtrust.org). The benefits of complying with the safe-harbor program are not negligible. These benefits include an assumption by all 25 EU member states that the company has satisfied the 'adequacy' standard and the requirement that all claims EU citizens bring will have exclusive jurisdiction in the United States subject to certain limited exceptions.

Conclusion

Our online legal landscape is constantly evolving, which makes some of the principles in the above-mentioned legislation yet untested by legal challenges. Unlike COPA or the CDA, the safe-harbor program remains a work in progress as to its effectiveness. Nevertheless, it does show our willingness, at least on paper, to comply with the legal requirements of foreign countries. The good news is that most of the legal requirements provided in this two-installment article are not financially onerous for nascent businesses. If a startup can afford the legal fees involved in figuring all of these requirements out, implementation is for the most part driven by 'off the shelf' software ' one of the benefits of operating online.

(Editor's Note: This month, in the second part of a two-part article, our expert author examines some more issues that e-commerce counsel should pay particular attention to when advising e-commerce startups, particularly small, single-entrepreneur or small-group driven Internet-based storefronts. See the March edition of e-Commerce Law & Strategy for Part One. For continuity, we start by summarizing Part One.)

The legal risks associated with operating an online business are largely hidden to many people who are lured by the dream of making their fortunes with the apparent ease of opening a virtual storefront.

But the risks of setting up a virtual storefront ' an e-commerce venture ' can exceed those of operating a real-world, bricks-and-mortar business, where relationships with consumers are often based on tangible items.

In the virtual world, a business owner may face a number of additional problems, including:

• Copyright infringement;
• Trademark infringement;
• Intellectual property ownership;
• Libel and slander;
• Identity theft;
• Jurisdictional issues;
• Invasion of privacy; and
• Breach of confidentiality.

And those are just a relative few of the problems from a litany of possible pitfalls the e-commerce entrepreneur faces.

If setting up an online business is like building a home, then the regulatory framework governing how you run it should be its architectural blueprint.

In the first part of this article, we examined the major 'set-up' considerations, such as copyright infringement, domain name disputes, and terms of service and privacy agreements.

In this installment, we move beyond basic considerations to what happens past the initial stage of construction, when a business starts to interact with its consumers or subscribers. In other words, how should you prep your home for potential visitors?

The Children's Online Privacy Protection Act

In April 2000, the U.S. government enacted the Children's Online Privacy Protection Act ('COPPA'), legislation intended to address widespread concern about the safety of children online. COPPA governs how online operators must handle children and personal information concerning children. The Act applies if the online site is directed toward children under 13 ('children,' in this article) and collects personally identifiable information from them, or is directed toward a general audience but whose operators know they collect personally identifiable information from children. The Federal Trade Commission ('FTC' at www.ftc.gov) enforces COPPA.

The FTC considers several factors to determine whether a site is directed toward children, including:

• The subject matter;
• Video and audio content;
• The age of the models on the site;
• Language used;
• Whether advertising on the Web site is directed to children;
• Information regarding the age of the actual or intended audience; and
• Whether the site uses animated characters or other child-oriented features.

It is not a requirement that the site be solely directed to children for COPPA to apply; some connection, even if minimal, might bring the site within COPPA's ambit. For example, if a small portion of a site is targeted at children, then the Act applies to that content. Similarly, the Act covers a site that is generally directed toward adults but of which the operators know that they collect information from children.

'Personal identifiable information' under COPPA includes information such as:

• Full name;
• Home address;
• e-Mail address;
• Telephone number; and
• Similar information that would allow site operators to identify the child.

COPPA also covers other information collected through cookies and different tracking devices if such information can be linked to an identifiable child.

If an entity does collect personal information from children, then it must do the following:

• Adopt a COPPA-friendly privacy policy and post conspicuous links on its site linking to this information; and
• Obtain 'verifiable' parental consent from the child's parent.

The policy and notice requirement is outlined in the Act. The law states that the notice data must include such information as:

• The name and contact information of all operators, or one dedicated operator, handling information provided from children;
• A description of the information that is obtained from children;
• How the operator will be using that information; and
• Whether that information will be disclosed to third parties.

A parent should also be given the option of controlling the disclosure of such information by either having the ability to delete it or to inform the entity that the parent doesn't want the information disclosed to third parties. The information collected must also not exceed what would be reasonably required to have the child participate in the online activity. And the policy must be phrased in easy-to-understand language, and a link to it must be posted on the site's home page, as well as on any other page that collects information from children.

COPPA leaves open what would be considered a method of obtaining 'verifiable' parental consent. The following methods, however, could be used in verifying information provided by a parent:

• An e-mail with a valid digital signature;
• A signed consent form sent to the site's operator via postal mail or facsimile;
• A credit card used in connection with a transaction; or
• A call through a toll-free number staffed by trained professionals who would presumably collect the verifiable information.

A violation of COPPA can lead to considerable civil penalties ' the FTC fined Mrs. Fields Cookies a whopping $100,000 and Hershey Foods $85,000 for failure to comply with the Act's requirement. So, if a company has any reason to believe it is, or could potentially be, marketing to children under 13, then it should seriously consider incorporating features meeting the Act's requirements into its site.

The Child Online Protection Act

Often confused with COPPA, the Child Online Protection Act ('COPA') was passed by Congress and signed into law in October 1998. COPA establishes criminal penalties for any 'commercial' distribution of material over the Internet deemed to be 'harmful to minors.' Speech that is covered by the Act broadly includes any:

• Communication;
• Picture
• Graphic-image file;
• Article;
• Recording; or
• Writing.

It defines obscene material as that which the 'average person' would find as appealing to the 'prurient interest,' or that depicts children engaging in lewd or sexual acts, and taken as a whole lacks any artistic, literary, political or scientific value.

COPA has been heavily criticized by free-speech advocates as an overly broad legislation that gives a court too much leeway to determine what constitutes the prevalent 'community standard,' ' which is especially problematic considering the Internet's global reach. The Act, which has been making its way through federal courts since its inception, has been challenged constitutionality on numerous fronts by free-speech advocates. In June 2004, in Ashcroft v. American Civil Liberties Union (542 U.S. 656), the Supreme Court upheld the Third Circuit court's finding that the Act is an unconstitutional restraint on protected speech. The Supreme Court referred the case back to the district court for a trial; the case awaits resolution. If the Act survives its judicial challenge, it could create a background for the most conservative jurisdiction to set the standard for the entire United States, or globally. Stay tuned.

Section 230 of The Communication Decency Act

The Communication Decency Act ('CDA') was passed in 1996 and immediately subjected to constitutional challenges ' the same constitutional challenges to which COPA would be subjected. From these challenges, Section 230 of the CDA survived unscathed and has become a valuable shield against legal challenges on Internet intermediaries ever since.

Section 230 states, in relevant part, that '[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.' It also preempts any state law to the contrary. In other words, an Internet intermediary will not be liable for the acts of its users, even if such acts amount to an actionable tort such as defamation. A Web site owner could, then, let users post whatever material they wish with complete impunity ' aside from public-relations concerns.

The key to Section 230 is that the material is posted by someone other than the Internet intermediary. See , e.g. , Batzel v. Smith , 333 F.3d 1018 (9 th Cir. 2003). So, then, one might well ask, what happens if you suddenly start editing your users' posts or start posting defamatory materials to your Web site? In those instances, your actions may fall outside Section 230's shield ' if your acts are more than minor editing. Unfortunately, courts have yet to determine what is considered protected editing under Section 230, as opposed to unprotected authorship that would categorizing you as an 'information content provider.' Wherever the line is drawn, it remains clear that if someone other than the Internet intermediary posted the information, Section 230 will provide a broad shield from liability.

The CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography and Marketing Act ('CAN-SPAM') became effective on Jan. 1, 2004, and covers all e-mail whose primary purpose is advertising, or promoting a commercial product or service. The Act is meant to address 'spamming' ' or unsolicited e-mails that annoyingly clobber our e-mailboxes.

The Federal Trade Commission, the Department of Justice ('DOJ' at www.justice.gov), and other federal and state agencies have authority to enforce the Act with civil and criminal penalties. CAN-SPAM has several requirements, including the following:

• Misleading information. The Act bans all types of misleading or false information that can be included in the 'to' and 'from' fields of the
  e-mail, and in the subject line. The e-mail must accurately identify its recipient and author.
• Opt-out method. All e-mails covered by the Act must provide the recipient with the opportunity to opt out of receiving future e-mails. In other words, there must be a mechanism through which the recipient can inform the author of the e-mail that such e-mails are unwanted, and the author must abide by that request. The Act gives the author a safe-harbor of 10 days before honoring such requests. It also does not allow the author to resend an e-mail to the same address from another entity, and does not allow an entity to sell such e-mail addresses to another entity without including the opt-out information.
• Advertising identification. CAN-SPAM also requires that all e-mail messages the Act covers to have a clear and conspicuous notice that the messages is an advertisement and that all recipients can opt-out of receiving further messages; e-mail message must also include valid physical postal address.

Penalties for failure to comply with the Act's requirement are stiff, possibly running up to $11,000. In some instances, the DOJ can seek criminal penalties, including imprisonment, for spammers of massive proportions, such as commercial e-mailers that register multiple e-mail accounts or domain names falsifying their information, or spammers that use a computer without authorization to send commercial e-mails covered by the Act.

Most businesses will rely on e-mail marketing solutions such as Constant Contact or Lyris that will facilitate compliance with the Act. It's important for all such businesses to keep track of opt-outs so that no unauthorized e-mail reaches a recipient when the mailing list is either transferred or updated. Some businesses prefer to have an opt-in method; although an opt-in is not a legal requirement, it may be a viable option for highly regulated fields such as the legal, health-care and financial industries.

International Privacy Concerns

Although most businesses include privacy notices within their site, some consideration must be given to the privacy laws of foreign jurisdictions in which the entity is doing or planning on doing business. Privacy policies may vary vastly between countries or continents. Consider, for instance, the European Union ('EU') and Japan as examples of comprehensive privacy regulations (http://europa.eu and www.kantei.go.jp/foreign/link/links_e.html).

The EU enacted in 1998 the European Union Directive on Data Protection ('Directive') that established a minimum standard of data privacy for personal information collected from EU citizens. The Directive requires that any entity that collects personally identifiable information from EU citizens provide the following information to such EU citizens:

• How the information will be used by the collecting entity;
• Access to such information to provide opportunity for potential edits; and
• Notice, as well as the opportunity, to opt-out of having this information transferred to a third party.

The Directive requires that entities located in non-EU countries provide an 'adequate' level of protection for data collected from EU citizens. In order to comply with such a requirement, the United States entered into an agreement with the EU and developed the safe-harbor program (see, www.export.gov/safeharbor/SH_Overview.asp for more information). The safe-harbor program allows companies in the United States to 'certify' that they have complied with the requirements of the Directive rather than having an EU state determine otherwise.

To qualify under the safe-harbor program, a company must demonstrate that:

• It has complied with the safe-harbor principles;
• Such compliance has been verified by an outside party and that the company has implemented an internal dispute-resolution mechanism; and
• It has submitted a letter to the U.S. Department of Commerce (www.commerce.gov) explaining the same.

Safe harbor principles with which a company must comply include the following.

• Notice. An entity must explain exactly why it is collecting personal information and what it is planning on doing with the information. Typical disclosure requirements include whether the information will be distributed to third parties, how the EU subject can contact the company in the event of a complaint and whether the company has a system in place to limit the dissemination of personal information. This disclosure must be provided when the information is initially collected, or soon thereafter.
• Choice. An entity must also provide an opportunity for the EU subject to opt-out of having information disclosed to a third party or used for purposes incompatible with the uses envisioned when the information was originally collected.
• Transfers. All transfers to third parties must comply with the notice and choice requirements as explained above, or require that such third party comply with the safe-harbor principles.
• Security. Companies must take reasonable precautions to protect information that EU subjects provide.
• Data integrity. The company must use personal information for the relevant purposes for which it was collected.
• Access. Personal information must be accessible to the EU subjects from which it was collected, and they must have an opportunity to edit or delete it as necessary.
• Enforcement. An entity must provide an internal enforcement procedure that would process individual complaints and disputes due to the company's failure to abide by the safe-harbor principles.

A number of third-party assessment programs are available to facilitate compliance with the safe-harbor program, including BBBOnline (www.bbbonline.org), TRUSTe (www.truste.org) or Webtrust (www.webtrust.org). The benefits of complying with the safe-harbor program are not negligible. These benefits include an assumption by all 25 EU member states that the company has satisfied the 'adequacy' standard and the requirement that all claims EU citizens bring will have exclusive jurisdiction in the United States subject to certain limited exceptions.

Conclusion

Our online legal landscape is constantly evolving, which makes some of the principles in the above-mentioned legislation yet untested by legal challenges. Unlike COPA or the CDA, the safe-harbor program remains a work in progress as to its effectiveness. Nevertheless, it does show our willingness, at least on paper, to comply with the legal requirements of foreign countries. The good news is that most of the legal requirements provided in this two-installment article are not financially onerous for nascent businesses. If a startup can afford the legal fees involved in figuring all of these requirements out, implementation is for the most part driven by 'off the shelf' software ' one of the benefits of operating online.