I talk to clients all the time about not falling into the trap of believing that their privacy policy is really nothing but a lot of fluff, filled with vague, self-serving statements such as “we respect your privacy”.

It’s actually way more than that; it’s viewed as an enforceable contract by the Federal Trade Commission (FTC), and as such it may be construed against you and subject you to substantial liability.

It’s critical that you plan ahead… anticipate the future needs of your ecommerce business in terms of your marketing needs and related requirements of collecting, storing, and using information collected from site visitors. Failure to do so may jeopardize your most important assets — your opt-in and customer lists.

The Toysmart Case

Toysmart was an online seller of children’s toys. In 1999, Toysmart’s privacy policy was explicit; it stated unequivocally that the company would not share personal information of customers with any third party. Later, unforeseen difficulties forced Toysmart into bankruptcy under Chapter 11. One of Toysmart’s most valuable assets was its customer list and its associated personal information.

In 2000, when Toysmart attempted to sell its customer list to generate a recovery for its creditors, the FTC filed a “deceptive practice” lawsuit under Section 5 of the FTC Act. In addition, several state attorneys general objected to the sale. The FTC maintained that the sale of the customer list could only be consistent with the established privacy policy, and Toysmart’s privacy policy did not authorize the sale of personal information in the event of bankruptcy.

TIP No. 1: amend your privacy policy to cover transfers as part of any merger, acquisition, or sale of the company and/or its assets, as well as in the unlikely event of insolvency, bankruptcy, or receivership.

The Gateway Learning Corporation Case

Beginning in 2000, Gateway Learning Corporation posted a privacy policy on its website promising, among other things, not to rent consumers’ personal information to others.

In April, 2003, despite these promises, Gateway started renting personal information provided by consumers – including their names, addresses, phone numbers, and age ranges and gender of their children – to target marketers for use in direct mailings and telemarketing calls. Two months later, Gateway amended its privacy policy to permit the sharing of personal information, apparently believing that the amendment would take effect retroactively.

The FTC promptly filed suit against Gateway alleging that Gateway’s renting of personal information collected prior to the privacy policy amendment was unauthorized, and therefore a “deceptive practice” under Section 5 of the FTC Act. In other words, the FTC argued that the amendment was not retroactive.

TIP No.2: ensure that any personal information that is shared with others is authorized by clear privacy policy notices which were in the policy at the time the personal information was collected. Amendments regarding the sharing of personal information are not effective retroactively.

Conclusion

Although your privacy policy may not be an enforceable contract between you and site visitors in the strictest sense, the FTC will enforce your privacy policy against you for purposes of a Section 5 violation, and the FTC is always watching for violations. For this reason, privacy policies should be drafted and frequently reviewed with the lessons of the Toysmart and Gateway Learning cases in mind.

Given the difficulty of amending privacy policies retroactively, particularly regarding the sharing of personal information, it’s highly recommended that you anticipate in advance to the extent it’s possible the privacy disclosures that you might need to make down the road, and add them to your privacy policy now… before its too late.

Here’s a list of a few examples:

* collection of passive information by cookies and Internet tags;

* collection of navigational data by log files, server logs, and clickstream data;

* sharing with service providers such as ISP’s website designers, etc.;

* sharing with your entity affiliates, (subsidiaries, related entities);

* sharing with purchasers of your business;

* sharing with third-party web analytics services such as Google Analytics; and

* as pointed out in the Toysmart case, sharing in the unlikely event of bankruptcy, or receivership.

Conclusion

The lesson to be learned… if you anticipate these issues now and provide for them, you won’t be jeopardizing your most important assets — your opt-in and customer lists.

Many sites these days are interactive — they permit site visitors to post to the site.

Forums and blogs would be at the top of most of our lists for types of interactive sites. However, different kinds of sites are also permitting owners to post, such as classified ad sites.

What happens if a visitor posts a defamatory statement ‘- or statements that are in violation of specific statutes — on your blog, forum, or in a classified ad on your site? Are you liable?

The Communications Decency Act

Congress came to the rescue of “interactive computer services” in 1996 with subsection (c) of the Communications Decency Act which provides: “No provider or user of any interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 USCA Sec. 230(c) (referred to below as “Section 230″). Section 230 was intended to overrule prior case law which routinely held that online providers were liable as publishers and speakers for third party content. Now, under Section 230, interactive websites have a shield against liability for visitor’s posts. However, two recent cases show that the Section 230 shield from liability has its limits.

The Craigslist.com Case Upholds Section 230 As Liability Shield

In November 2006, a US District Court held that Craigslist.com, an online classified ad site, was not liable for discriminatory practices of its users.

The suit had been brought by the Chicago Lawyers’ Committee for Civil Rights Under Law which alleged that Craigslist.com had a series of rental housing ads containing discriminatory statements. Examples of discriminatory statements by users included “no minorities” and “no children”.

In March 2008, the 7th Circuit Court of Appeals upheld the District Court’s decision. Essentially, the 7th Circuit held that Craigslist.com was just a “messenger” and is shielded from liability by Section 230 for the discriminatory ads posted by its users.

The Roommates.com Case Goes The Other Way

In April 2008, the 9th Circuit reversed a District Court’s ruling and held that Section 230 did not shield Roommates.com from certain portions of the site that gave users limited choices for expressing their beliefs. On the other hand portions of the site that allowed free-form text were held to be shielded by Section 230. Similar to the Craigslist.com case, the users’ statements were alleged to be discriminatory and in violation of fair housing statutes.

The key distinguishing factor noted by the 7th Circuit was the structure imposed by Roommates.com. For example:

* questions were posed to users asking for racial preferences; and

* pull-down menus for user’s profile answers required answers before the user could proceed

Does Roommates.com Case Signal a Major Shift?

The question arises: does the Roommates.com decision signal a major shift away from the protections of Section 230? The decision indicated that a major shift was not intended.

The opinion indicated that the ruling should only apply narrowly to a limited number of sites: “The message is clear: If you don’t encourage illegal content, or design your website to require users to input illegal content, you will be immune.”

In addition, the opinion contained clear language that a major shift away from Section 230 was not intended. “Websites are complicated enterprises, and there will always be close cases where a clever lawyer could argue that something the website operator did encouraged the illegality. Such close cases, we believe, must be resolved in favor of immunity, lest we cut the heart out of section 230 by forcing websites to face death by ten thousand duck-bites, fighting off claims that they promoted or encouraged — or at least tacitly assented to — the illegality of third parties.”

Beware of “Obligation To Monitor” Pitfall

A word of warning about another pitfall — be careful in assuming an obligation to monitor messages, email, or posts contributed by your site visitors or in exercising editorial control over them. If you assume an obligation to monitor, or if you maintain editorial control, and if you fail to screen out defamatory statements, you may be liable, despite the protections of Section 230.

For this reason, your Terms of Use should clearly state the extent to which you exercise editorial control, if at all, over messages, email, or posts of site visitors. And it’s always best to reserve the right to monitor postings, but not the obligation to monitor.

Conclusion

In summary, there are 2 basic lessons regarding visitors’ posts to your site:

* beware of placing structure on user’s posts in classified ad sites; there is safety in free-form text, and

* be careful to avoid an obligation to monitor visitors’ posts.

If you’ve been following legal developments on the Web in the last couple of years, you know that there is significant concern regarding privacy and data security. This concern is driven by consumers’ fears over identity theft.

The Life Is Good Case – 5 Data Security Safeguards

In a well-known case filed against Lifeisgood.com, the Federal Trade Commission (FTC) announced in a press release dated January 17, 2008, that Life Is Good agreed to implement the following 5 administrative, technical, and physical safeguards for data security:

1. Designate an employee or employees to coordinate the information security program.

2. Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.

3. Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.

4. Develop reasonable steps to select and oversee service providers that handle the personal information of customers.

5. Evaluate and adjust its information-security program to reflect the results of monitoring any material changes to the company’s operations, or other circumstances that may impact the effectiveness of its security program.

FTC Recommendation No. 4 — Ignore It At Your Peril

In dealing with my ecommerce clients, I’ve discovered that the recommendation that is followed least is Recommendation No. 4 — bind your service providers.

All too often, even the most diligent ecommerce and SaaS businesses focus exclusively on internal security measures in developing their data security policy and program. As the FTC reminds us with recommendation No. 4, it’s also very important to consider implementing data security measures in the form of contractual requirements binding service providers who have access to your site — and to your site’s databases where personal information is stored.

The Influence of The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB) is a federal statute that permitted consolidation among businesses in the financial services industry. GLB also provided requirements for financial services businesses to protect the security of consumer’s financial information.

Prior to the Lifeisgood.com case, the FTC sued financial service companies in a series of cases known as the “Safeguards Cases” for failure (among other things) to “require service providers, by written contract, to protect consumers’ personal information”. This requirement has now found its way into the FTC’s claims against businesses that are not in the financial services sector, as indicated by the FTC’s case against Lifeisgood.com.

The Scenario To Avoid

So, this is the classic liability scenario: you own operate a website that sells goods or services, but you outsource certain functions to a website hosting, SEO, or website maintenance service provider. These service providers’ services are viewed by your customers as provided by you. If a service provider violates a privacy law or creates a data security breach, then — you guessed it — your customers who are damaged will seek to hold you liable.

What To Do?

To avoid liability, you should bind your service providers that have access to personal information with legally enforceable agreements. In these agreements, your service providers should agree to abide by your privacy and data security requirements.

In addition, consider the following points for these agreements:

* representations and warranties — including (i) that your privacy policy requirements will be followed, (ii) that entering into the contract does not violate another agreement, and (iii) all applicable privacy and data security laws will be followed;

* notices, audits, reports, and controls — including (i) notice of change in privacy or data security practices, (ii) notice of any data security breach, (iii) right to audit at least annually, and (iv) records requirements; and

* indemnities — including any breach of representations and warranties.

It will be difficult to negotiate an agreement that provides all of the foregoing safeguards; however, merely bringing them up for discussion will nail home the point that you’re serious about privacy and data security. At the very least, your agreement should provide for basic levels of privacy and data security protection.

Up until registration, his trademark would be called a common law mark and he runs the risk of finding after many years of business that there is a prior registration of a similar name in a similar class of goods. He may find that there is a similar name which has been in the market place unregistered but with a commencement date prior to that of the client’s first usage.

Upon addressing the matter of registration the client is confronted by having to carry out searches to establish what identical, similar or deceptively similar marks are on the Trademark Register or in the market place with a priority date well before the client’s first stated usage.

Common law rights are those rights you can enforce by an action without primary reliance on statute law.

The Designs Act, Patents Act and Trademarks Act all give you statutory rights as an incidence of registration of your trademark or invention. Valuable enforcement rights will arise as an incidence of such registration.

Having developed a reputation, goodwill and a significant capital value attaching to the unregistered trademark, the owner must then contemplate the fact that there may be prior registrations that are similar or deceptively similar or where another business, perhaps an opposition business, has been using their mark to develop goodwill and reputation predating that of the client’s first usage.

Where a contest develops over who has the prior right to the name, there is a real prospect that the client would not only lose the contest but lose significant capital such as the removal of its name, the loss of its profits for the period of conflict and the obligation to start again with a new name, which in turn can amount to losses of immense amounts of capital.

The ownership of a common law trade name is an excellent example of playing Russian Roulette with the company’s capital.

Where a company proceeds to adopt and assume a trademark that is unregistered there is a very real likelihood that it will be tempted to describe attributes of its product or service in that name. An excellent example would be the name Bankstown Smash Repairs. It is not appropriate to identify a geographic region in a name and it is not appropriate to identify the product or service in the name.

Very often the names that are chosen are names that are generic or inappropriate and should remain available to all of those who compete in that industry. An example of such words is ’smash repairs’.

It is always best to invent a name which has nothing to do with the product or its attributes. It is usually too late to warn a client on these factors when they have developed goodwill and reputation at common law.

Where you have given the right of exclusive use of your trademark to a licensee then usually you will have given that licensee the right to protect the intellectual property against invaders and trespassers.

It is possible that the exclusive licensee is not interested in protecting the reputation attaching to the trademark property, but as the registered proprietor you may feel you must protect the integrity of your trademark and you can do so provided you have reserved those enforcement rights during the preparation of that licence. The need to take action can arise during the course of the license or after its termination.

There could be many commercial reasons why a licensee does not want to spend funds on fighting invaders and trespassers and it may fall to you to defend the integrity and reputation of the trademark.

If you have failed to draft the license correctly in not reserving to yourself the right to supervise the quality of the licensee’s products with regularity then you will have difficulty in protecting that integrity and reputation.

Not only must you reserve to yourself the right to supervise quality but also you must exercise that right and not appear to abandon it by failure to supervise for lengthy periods or failure to supervise regularly.

In addition a licensee may feel that when the exclusive license lapses he has adequate momentum in his product and reputation not to bother with a renewal of the exclusive license.

Where there has been a failure by the Licensee to renew the license, the registered proprietor must ensure that the reputation and goodwill attaching to a trademark have expressly re-vested in him as the registered proprietor.

Whilst these requirements seem to be only incidental to the main business of granting rights to a licensee and receiving royalties from him it is obvious that the mark could be seriously imperiled unless the above two factors are treated with detailed attention in the license document.

Continuing use and development of reputation and goodwill in an unregistrable mark can eventually allow its registration. The unregistrable mark can become known in the eyes of the market or the public as one that distinguishes the owner’s goods and/or services from those of his competitors. Upon such proof being established, which carries a very heavy burden to discharge, such an offending mark can be applied for and may be approved for registration.

It is far better to take advice before commencement of use of a mark so as to ensure it does not offend against other marks and therefore attract lawsuits and opposition to registration. It is possible to offend against another mark registered or unregistered by direct conflict or by using a mark that is deceptively similar to another mark.

Any interloper or trespasser will be easily put to heel if he is offending against a registered mark in the same or similar classification for goods.

Injunctions, serious pecuniary penalties, claims for damages and an account for profits can be directed to the offending user/owner. http://www.lawfully.com.au

When the issue pertaining to taxes and your online business arise, you usually take it negatively which would in turn end up in a negative note.

However, if you decide to change the way you think and turn your negative approach to a positive one, then you would surely realize that paying online sales tax is not a taxing job at all.

Online business owners or e-tailers are commonly complaining about online sales tax primarily because they don’t clearly understand and grasp the meaning, scope and limitations of the law and regulation that pertains to it.

If you want your online business to boom and prosper, you should have the initiative to gain as much knowledge as you can about taxes and online businesses.

Be Aware Of Taxability And Exemptions

You should be aware that not all services or products are taxable or taxed in the same way as other services and products are.

Furthermore, the taxability of some products also differ from state to state. There are also exemptions based on how the product is used as well as who uses them.

An example to this would be schools and non-profit organizations – these kinds of institutions may not be required to pay sales tax if they avail any of your products or services.

Take note that exemptions require clear and concise documentation.

Consider State Sourcing Rules and Validate Addresses

There are more or less 12,500 tax regions in the United States and for you to come up with an accurate sales tax calculation, you have to identify and validate the “roof top address” and then apply it to the exact set of sales tax rates of that certain transaction.

You must remember that the rate of the sales tax applied to a sale or purchase may be made up of a country sales tax, a state sales tax, a city sales tax and other special taxing jurisdictions.

The so-called “roof top address” is very important is because it serves as a warning that one household in a neighbourhood can have a different sales tax rate that its neighbour, if it is located physically in a different zone already.

Use Tax

Consumer use tax or use tax is a kind of tax that pertains to the using, consuming, storing and sometimes distribution of personal tangible property.

Aside from that, it can also be applied to services which are taxable. For short, you will need to pay use tax in a state where that “usage” occurs.

A clear example for this would be: you bought a pair of shoes over the Internet and you did not pay any tax to the seller.

However, you used those pair of shoes in your state, so you are subject to pay your state the use tax.

As an online business merchant, the abovementioned tips and guidelines are just few of the other tips and guidelines that you need to learn.

Taxes and your online business should work together, if you want you business to become successful.