Archive for the ‘Corporate’ Category
New Jersey’s Revised Uniform Limited Liability Company Act – What all owners of New Jersey LLCs Need to Know
What is the New Jersey’s Revised Uniform Limited Liability Company Act?
The Revised Uniform Limited Liability Company Act (“RULLCA”) replaces and expands New Jersey’s Uniform Limited Liability Company Act (“NJ ULLCA”) which was originally put in place to govern limited liability companies in January of 1994. RULLCA was officially enacted on March 18, 2013, and, at least for the next 11 months, applies only to LLCs formed after that date. After March 1, 2014, the RULLCA will apply to all LLCs regardless of the date of formation.
How will the RULLCA affect your LLC?
The following is a brief summary of the most significant changes to the statute that may affect your LLC:
1. Fiduciary Duties
Under the outgoing NJ ULLCA, LLC members owe fiduciary duties to other members. (These are generally the duty of loyalty and the duty of care.) The duty of loyalty often involves avoiding conflicts of interest, however, the members could waive the fiduciary duty in the operating agreement. This framework allows many people to participate in multiple businesses outside an LLC even when those other activities might conflict with the LLC’s business.
RULLCA no longer permits the members to agree to waive certain rights, including fiduciary and other rights that they owe to each other, like the duty of good faith and fair dealing. While this may not have significant impact on the operation of a company in the ordinary course, in disputes between members involving activities outside of the company, this can have a dramatic effect and provides an aggrieved member with significantly improved rights.
Under the RULLCA, the default rule on distributions is that all profit available for distribution will be made to the members on a ‘per capita” distribution, meaning equal shares for each member, unless otherwise agreed to in the operating agreement. This change means that any LLCs that do not have an operating agreement and that have been distributing profit other than on an “equal share” basis, will be required to do so.
Under the NJ ULLCA, upon disassociation a member, absent a contrary provision in the operating agreement, is entitled to be paid the fair value of his or her interest in the company, which can be a financial stress on a business that might prefer to deploy its capital for growth. Under the RUCLLA, a “resigning” member is no longer automatically entitled to receive fair value; instead that person becomes dissociated as a member and assumes the rights of economic interest holder. This change means that the member loses the right to participate in the governance of the company (as well as the potential liability associated with the operation of the company), but retains the rights to receive distributions of profit and of the company’s assets upon liquidation or dissolution. Absent a provision in the operating agreement that requires the sale of the member’s interest upon disassociation, a member will neither be entitled to be bought out nor will the company have the right (or obligation) to do so (note that this can have the effect of enabling a member to cease participating in the business while continuing to profit from it, an outcome typically not desired by the remaining members).
4. Deadlock and Oppression
Under the NJ ULLCA, there are very few rights afforded to a minority member that is oppressed by the majority or, similarly, to resolve a deadlock between members. As such, this issue is typically addressed in the operating agreement to ensure that the members have remedies in the event of oppression or deadlock. The RULLCA provides express remedies for oppressed minority members: the right to seek the dissolution of the LLC or the appointment of a custodian. These remedies give the oppressed minority substantial leverage to obtain a buyout or other relief relating to the operation of the company that it previously did not expressly have under the NJ ULLCA.
While it is good practice to have your LLC operating agreement reviewed every few years to ensure that it is consistent with the intentions and practices of the members, the changes effectuated by the RULLCA make it critical that every company’s operating agreement be updated to make sure that it consistent with the revisions to the law.
New Law Significantly Limits Viability of Certain Shareholder Derivative Suits in New Jersey
On April 2nd, New Jersey Governor Chris Christie signed bill A-3123 into law and in doing so, significantly revised the law in New Jersey regarding shareholder derivative proceedings under N.J.S.A. §14A:3-6, etseq. The stated purpose of the new law is to temper derivative lawsuits brought by shareholders against a corporation, its directors or majority shareholders and to make efforts to curb excessive and unnecessary litigation costs on New Jersey corporations. Beyond this succinct goal, an ancillary intent of the law is to encourage corporations to continue to incorporate in New Jersey by making the state more corporate friendly.
Notable changes include the following:
As a precondition to suit, a shareholder must make a written demand to the corporation to take suitable corrective action and allow the corporation 90 days to investigate and respond to the demand unless “irreparable injury to the corporation would result by waiting.” This 90 day waiting period is a akin to a tort claims notice and is intended to give corporations adequate time to remedy potentially minor issues before dealing with the costs and expense of litigation.
In the event that a plaintiff challenges a company’s actions in suit after the demands made in the 90 day letter are rejected, he/she/it must allege with particularity that the decision was improper and show any rejection was in bad faith or not made by “independent directors.” A status as a litigant does not divest a director of independence and unless the independence of the directors is challenged successfully, the plaintiff must show bad faith on the part of the entity.
The law increases the interest requirement that a plaintiff must hold an entity to avoid the posting of security against the possible award of attorney’s fees and costs. If litigant a holds less than 5% of the outstanding shares of any class or series of the corporation, unless the shares have a market value in excess of $250,000, the corporation can require the plaintiff to give security for the reasonable expenses, including attorney’s fees. This will hopefully dissuade minority shareholders from filing suits with questionable merit.
The law requires that a plaintiff remain a shareholder throughout any initiated litigation so that it can adequately and fairly represent the corporation’s interests. Prior to this change, the shareholder merely had to be a shareholder at the time suit was filed.
The law applies to both derivative proceedings brought on behalf of single shareholders as well as class actions.
A corporation can move for dismissal of a suit, after a good faith investigation, and assert that the derivative proceeding is not in the best interest of the corporation on the grounds that its board is independent and acted in good faith. Such a motion will be granted unless the court finds otherwise or the shareholders rebut the corporation’s supporting facts.
The court must stay discovery until ruling on the motion to dismiss, but can order limited discovery if the plaintiff shows a lack of independence or good faith.
The court must approve any settlement or dismissal.
The court can award expenses to the plaintiff if the proceedings result in a substantial benefit to the corporation, or to the defendant if the case was commenced or maintained without reasonable diligence or reasonable cause or for an improper purpose.
For these new provisions to apply, existing corporations must amend their certificate of incorporation and explicitly adopt these provisions.
For more information about this new law and how it may impact your business please contact Olender Feldman LLP, or review our additional business legal resources here.
Pending approval by Governor Christie, New Jersey will adopt a new set of laws pertaining to the formation and operation of limited liability companies.
By Joseph Olender
In 2011, the New Jersey Assembly proposed Bill No. 1543, which would change the way that limited liability companies (LLCs) in the state are created and operate. The bill was created in an attempt to fill gaps in New Jersey law regarding the operation of LLCs, as well as to update existing law that had become outdated.
The bill passed unanimously through the Assembly on May 24th and the Senate on June 21st, needs only the signature of Governor Christie to become law. This bill, a version of the Revised Uniform Limited Liability Company Act (RULLCA), effectively repeals the New Jersey Limited Liability Company Act (NJLLCA), and replaces it with a modern regulatory scheme for the creation and operation of limited liability companies in New Jersey.
The RULLCA, as developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL), is a significant advancement and common sense approach to the governing of limited liability companies. New Jersey is one of many states to propose a bill which would adopt a version of the RULLCA. The bill would significantly impact the way LLCs do business, and assemblymen hope that it will boost job growth potential in the state. The bill is designed to change some aspects of the law currently in place via the NJLLCA, and also deal with areas of the law that New Jersey has not yet covered.
The bill would mandate some significant changes including:
- Perpetual Duration. Eliminates the default rule that LLCs have a limited life. As is already the case with New Jersey corporations, New Jersey LLCs would have perpetual duration.
- Permissible form of operating agreement. Permits operating agreements to be oral, written or implied based on the way the LLC is operated.
- Distributions. Unless otherwise agreed upon, distributions are made to members on a per capita basis.
- Statements of authority. It allows an LLC to file statement s of authority with the Division of Revenue in the Department of the Treasury, authorizing certain individuals or entities to bind the LLC.
- Disassociation of a member. This would eliminate a major pitfall for the unwary practitioner forming an LLC in New Jersey. A resigning owner is no longer entitled to receive the fair value of his or her LLC interest as of the date of resignation. Rather, upon, resignation, the resigning member is disassociated as a member and only has the rights of an economic interest holder.
- Remedies for deadlock and oppression. It extends many of the traditional remedies available at common law or pursuant to statute to LLCs. It permits a member to seek a court order dissolving the company on the grounds that the managers or those members in control of the company have acted or are acting in manner that is oppressive and was, is, or will be directly harmful to the member. It also permits a less drastic form to resolve deadlock in the form of an appointed custodian.
If signed by Governor Christie the bill will become effective after 180 days and will govern all LLCs formed after its effective date. Following the first day of the 18th month following the bill’s enactment, it will apply to all New Jersey LLCs.
The Jumpstart Our Business Startups Act or JOBS Act, intended to encourage funding of United States small businesses by easing various securities regulations, was signed into law by President Obama on April 5, 2012.
On April 5, 2012, the Jumpstart Our Business Startups Act (“JOBS Act”) was signed into law. The fundamental change that it will have on companies is their ability to raise capital through a private placement under Rule 506 of Regulation D of the Securities Act of 1933, as amended (“Rule 506 Offering”). The JOBS Act, among other things, will eliminate the prohibitions under the U.S. federal securities laws against general advertising or general solicitation in connection with a Rule 506 Offering; provided that all purchases are made to accredited investors. The elimination of the general advertising and general solicitation restrictions could have a significant impact on a company’s ability to raise capital because it allows companies to reach a more diverse group and larger number of potential investors through their marketing efforts. The enactment of the JOBS Act directed the U.S. Securities and Exchange Commission (“SEC”) to revise Rule 506 of Regulation D within 90 days of its enactment, or by July 4, 2012. The current rules are still applicable to Rule 506 Offerings until the SEC amends Rule 506 of Regulation D.
Currently, under Rule 506 of Regulation D, companies are prohibited from soliciting investors through general advertisements or general solicitations, which makes it difficult for startups and small companies to raise capital since, as is often the case, they do not have enough contacts who are accredited investors that have the financial capability to invest in their company. With the implementation of the JOBS Act, a company will have the ability to tap a larger pool of investors than they originally had access to since they will now be allowed to solicit investors through general advertisements and general solicitations. This should open up access to more funding opportunities then companies previously experienced. The one caveat is that all investors must be accredited investors as such term is defined under Rule 501(a) of Regulation D (“Accredited Investor”).
An Accredited Investor is generally someone who has enough knowledge and business experience and acumen that they do not need to be afforded the full protection of the securities laws. Since this was a difficult standard to interpret, the SEC enacted Rule 501(a) to clarify the meaning of an Accredited Investor. There are eight (8) different categories of investors under the definition of an Accredited Investor, the most widely used by startup and small companies is:
- 501(a)(6) any natural person whose individual net worth, or jointly with their spouse, exceeds $1 million at the time of purchase, excluding the value of such person’s primary residence; or
- 501(a)(7) any natural person with income exceeding $200,000, or joint income with a spouse exceeding $300,000, for the two most recent years with a reasonable expectation of achieving the same income level in the current year.
A company can avail itself of the elimination of the advertising prohibitions in a Rule 506 Offering by taking “reasonable steps to verify that purchasers of the securities are accredited investors”. The meaning of this standard is unclear as of now, but hopes are that the SEC will clarify its meaning when it revises Rule 506 of Regulation D.
Once the SEC amends Rule 506 of Regulation D, companies will be able to conduct private placements through the facilitation of general advertisements and general solicitations as long as they reasonably verify that the securities are sold to Accredited Investors only.
Today, the Federal Trade Commission (FTC) issued a final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data, entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” The FTC also issued a brief new video explaining the FTC’s positions. Here are the key take-aways from the final report:
- Privacy by Design. Companies should incorporate privacy protections in developing their products, and in their everyday business practices. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to ensure that such data is accurate;
- Simplified Choice. Companies should give consumers the option to decide what information is shared about them, and with whom. Companies should also give consumers that choice at a time and in a context that matters to people, although choice need not be provided for certain “commonly accepted practices” that the consumer would expect.
- Do Not Track. Companies should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
- Increased Transparency. Companies should disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.
- Small Businesses Exempt. The above restrictions do not apply to companies who collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.
Interestingly, the FTC’s focus on consumer unfairness, rather than consumer deception, was something that FTC Commissioner Julie Brill hinted to me when we discussed overreaching privacy policies and terms of service at Fordham University’s Big Data, Big Issues symposium earlier this month.
If businesses want to minimize the chances of finding themselves the subject of an FTC investigation, they should be prepared to follow these best practices. If you have any questions about what the FTC’s guidelines mean for your business, please feel free to contact us.
I had the pleasure of attending Fordham Law School’s Center on Law & Information Policy (CLIP)’s Big Data, Big Issues Symposium today, which had a fascinating lineup of many of best thinkers in privacy. The Federal Trade Commission (FTC)’s Julie Brill, delivered a very interesting keynote address about the benefits and dangers of big data, as well as the evolving privacy concerns. The address is well worth a read.
I had a chance to chat with Commissioner Brill after her speech, and asked her thoughts about privacy policies and terms of service that allow for unrestricted and unlimited use of data, such as the infamous Skipity policies. Commissioner Brill stated that, given that most users don’t read privacy policies and terms of service, the FTC is very concerned by these types of one-sided policies. She mentioned that the aggregation and use of data outside of the context of collection is something that the FTC hopes to issue guidance on in the future, and may well be unfair and deceptive regardless of a consumer’s consent.
My takeaway from the chat is that consumer consent will not insulate a website from FTC scrutiny, and that the reasonable expectations of a consumer may dictate the FTC’s considerations of whether a policy is unfair or deceptive, especially given that so little attention is paid to these policies by consumers. However, at the same time, it is important that policies reflect the company’s actual practices.
To understand the genesis of “Do Not Track” it is important to understand what online tracking is and how it works. If you visit any website supported by advertising (as well as many that are not), a number of tracking objects may be placed on your device. These online tracking technologies take many forms, including HTTP cookies, web beacons (clear GIFs), local shared objects or flash cookies, HTML5 cookies, browser history sniffers and browser fingerprinting. What they all have in common is that they use tracking technology to observe web users’ interests, including content consumed, ads clicked, and other search keywords and conversions to track online movements, and build an online behavior profiles that are used to determine which ads are selected when a particular webpage is accessed. Collectively, these are known as behavioral targeting or advertising. Tracking technologies are also used for other purposes in addition to behavioral targeting, including site analytics, advertising metrics and reporting, and capping the frequency with which individual ads are displayed to users.
The focus on behavioral advertising by advertisers and ecommerce merchants stems from its effectiveness. Studies have found that behavioral advertising increases the click through rate by as much as 670% when compared with non-targeted advertising. Accordingly, behavioral advertising can bring in an average of 2.68 more revenue than of non-targeted advertising.
If behavioral advertising provides benefits such as increased relevance and usefulness to both advertisers and consumers, how has it become so controversial? Traditionally, advertisers have avoided collecting personally identifiable information (PII), preferring anonymous tracking data. However, new analytic tools and algorithms make it possible to combine “anonymous” information to create detailed profiles that can be associated with a particular computer or person. Formerly anonymous information can be re-identified, and companies are taking advantage in order to deliver increasingly targeted ads. Some of those practices have led to renewed privacy concerns. For example, recently Target was able to identify that a teenager was pregnant – before her father had any idea. It seems that Target has identified certain patterns in expecting mothers, and assigns shoppers a “pregnancy prediction score.” Apparently, the father was livid when his high-school age daughter was repeatedly targeted with various maternity items, only to later find out that, well, Target knew more about his daughter than he did (at least in that regard). Needless to say, some PII is more sensitive than others, but it is almost always alarming when you don’t know what others know about you.
Ultimately, most users find it a little creepy when they find out that Facebook tracks your web browsing activity through their “Like” button, or that detailed profiles of their browsing history exist that could be associated with them. According to a recent Gallup poll, 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.
The wild west of internet tracking may soon be coming to a close. The FTC has issued its recommendations for Do Not Track, which they recommend be instituted as a browser based mechanism through which consumers could make persistent choices to signal whether or not they want to be tracked or receive targeted advertising. However, you shouldn’t wait for an FTC compliance notice to start rethinking your privacy practices.
It goes without saying that companies are required to follow the existing privacy laws. However, it is important to not only speak with a privacy lawyer to ensure compliance with existing privacy laws and regulations (the FTC compliance division also monitors whether companies comply with posted privacy policies and terms of service) but also to ensure that your tracking and analytics are done in an non-creepy, non-intrusive manner that is clearly communicated to your customers and enables them to opt-in, and gives them an opportunity to opt out at their discretion. Your respect for your consumers’ privacy concerns will reap long-term benefits beyond anything that surreptitious tracking could ever accomplish.
We often get questions from both clients and journalists (e.g., here, and here) regarding liability for posting content on the internet, most of it centering around the same basic premise: “Why can Company X post this content on their website? How is that legal? Isn’t that an invasion of privacy?”
In most cases, the answer can be found in Section 230 of the Communications Decency Act of 1996, 47 U.S.C. § 230 (“CDA”). The act provides immunity for Internet Service Providers (read: websites, blogs, listservs, forums, etc.) who publish information provided by others, so long as they comply with the Digital Millennium Copyright Act of 1998 (“DMCA”) and take down content that infringes the intellectual property rights of others. In order to understand the CDA and DMCA, it is helpful to understand how each came about.
The United States has historically favored free speech, with certain limitations. Under the law, a writer or publisher of harmful information is treated differently than a distributor of that information. The theory behind this distinction is that the speaker and publisher have the knowledge of and editorial control over the content, whereas a distributor might not be aware of the content, much less whether it is harmful. Thus, if a writer publishes defamatory content in a book, both the writer and the publisher can be held liable, whereas a library or bookstore that distributed the book cannot.
Initially, courts found a distinction in liability based on whether the website was moderated. An unmoderated/unmonitored website was considered a distributor of information, rather than a publisher, because it did not review the contents of its message boards. Conversely, courts found a moderated/monitored website to be a publisher, concluding that the exercise of editorial control over content made it more like a publisher than a distributor – and thus the website was liable for anything that appeared on the site. Unsurprisingly, this created strong disincentives to monitoring or moderating websites, as doing so increased potential liability.
Given the sheer amount of information communicated online, the potential for liability based on third-party content (i.e. user comments on a blog, website or web bulletin board) threatened the viability of service providers and free speech over the internet.
Congress specifically wanted to remove these disincentives to self-moderation by websites and responded by passing the CDA. The CDA immunizes, with limited exceptions, providers and users of “interactive computer services” from publisher’s liability, so long as the information is provided by a third party (interactive computer service is defined broadly, and covers blogs). This immunity does not cover intellectual property claims or criminal liability, and of course the original creator of the content is not immune. That means a blogger or commentator is responsible for his/her own comments, though not for the submitted content of others (even if it violates a third-party’s privacy, or is defamatory, etc). Generally, the CDA will cover a website that hosts third-party content, and exercises editorial functions, such as deciding whether to publish, remove or edit material does not affect that immunity unless those actions materially alter the content (e.g.. changing “Aaron is not a scumbag” to “Aaron is a scumbag” would be a material alteration, whereas cropping a photo or fixing typos would not).
Accordingly, websites that post only user submitted content (even if the website encourages or pays third parties to create or submit content) are protected under the CDA, and immune from liability, with two major exceptions. The CDA does not immunize against the posting of criminally illegal content (such as underage pornography), and it does not immunize against the posting of another’s intellectual property without permission. Tasked with balancing the need to protect intellectual property rights online, as well as the various challenges faced by websites that lead to the CDA, Congress implemented the DMCA. The DMCA creates a safe harbor against copyright liability for websites, so long as block access to allegedly infringing material upon receipt of a notification from a copyright holder claiming infringement.
Ultimately, protecting yourself from liability under the CDA and DMCA or protecting your intellectual property rights online can be tricky. If you have any questions, feel free to contact us.
I recently had the opportunity to speak with Karen Boman of Rigzone about RFID technology and workplace privacy. Although the article focuses on the oil industry, the best practices of openness and transparency are generally applicable to most workplaces. The entire article can be found here, and makes for an engaging and informative read.
RFID technology in and of itself does not pose a threat to privacy – it’s when the technology is deployed in a way not consistent with responsible privacy information security practices that RFID becomes a problem, said Aaron Messing, associate with Union, N.J.-based OlenderFeldman LLP. Messing handles privacy issues for clients that include manufacturing and e-commerce firms.
Legal issues can arise if a company is tracking its employees secretly, Messing noted, or if it places a tracking device on an employees’ property without permission.
He recommends that clients should follow basic principles of good business practices, including making employees aware they are being monitored and getting written consent.
“Openness and transparency over how data is tracked and what is being used is the best policy, as employees are typically concerned about how information on them is being used,” Messing commented. “We advise clients to limit their tracking of employees to working hours, or when that’s not feasible, they should only access the information they want to track, such as working hours.”
The clients Messing works with that use RFID typically use the technology for tracking inventory, not workers. Messing can see where RFID would have legitimate uses on an oil rig. In the case of oil rigs, RFID tracking can be a good thing in case of emergency, as RFID makes it possible to determine whether all employees have been evacuated or how evacuation plans should be formed, Messing commented.
“It really depends on what the information is being used for,” Messing commented. However, employers that don’t have legitimate reasons for tracking workers can result in loss of morale among workers or loss of workers to other companies.
Workers who have RFID lanyards or tags can leave their tags at home once the work day is over to avoid be tracked off-hours. However, employees generally don’t have a lot of rights in terms of privacy while on the job. ”Since an employee is being paid to work, the expectation is that employers have a right to track employees’ activities,” said Messing. This activity can include monitoring phone conversations, computer activity, movements throughout a building and bathroom breaks.
However, companies should try to design monitoring programs that are respectful of employees.
“Companies that do things such as block personal email or certain websites and place a lot of restrictions on workers may do more harm than good, since workers don’t like feeling like they’re not trusted or working in a nanny state,” Messing commented.
Cctv Camera by Colin Russell
If your company is a service provider (generally any company providing third-party services, ranging from a payroll provider to an e-commerce hosting provider) or your company utilizes service providers, you need to be aware of the Massachusetts Data Security Regulations (the “Regulations”). The Regulations require that by March 1, 2012, all service provider contracts must contain appropriate security measures to protect the personal information (as described below) of Massachusetts residents. See 201 CMR 17.03(2)(f). All companies that “own or license” personal information of Massachusetts residents, regardless of where the companies are physically located, will need to comply with the Regulations. Additionally, all entities that own or license personal information of Massachusetts residents are required to develop, implement and maintain a written information security program (“WISP”), which lists the administrative, technical and physical safeguards in place to protect personal information.
“Personal information” is defined by the Regulations as a Massachusetts resident’s first and last name, or first initial and last name, in connection with any of the following: (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number.
If your company uses service providers, you are responsible for your service provider’s compliance with the Regulations as it relates to your business and your customers. The Regulations are clear that if your service provider receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents, you are responsible to make sure that your service providers maintain appropriate security measures to protect that personal information. Therefore you should make sure that your agreements with service providers contain appropriate language, obligations and indemnifications to protect your interests and assure compliance by your service provider. If you are a service provider, you need to develop a comprehensive WISP in order to protect yourself from liability.
If you have any questions or concerns regarding the implementation of the Regulations or how it may affect your business, please feel free to contact us.
A February 2011 ruling against Williams-Sonoma by the California Supreme Court held that a consumer’s ZIP code was “personal identification information” that merchants are not permitted to demand from customers under a California consumer privacy law. The result was a rash of lawsuits against businesses such as Wal-Mart Stores Inc., Bed Bath & Beyond Inc., Crate & Barrel and Victoria’s Secret. Though some stores claim to use the ZIP code information to protect against credit card fraud (i.e., if the card was stolen, the user is less likely to know the ZIP code of the true owner), most businesses use the information for marketing purposes. Ultimately, the California Supreme Court held that merchants can still collect customer’s ZIP codes under limited circumstances such as gas station pumps where the information is requested for security reasons, and in transactions involving shipping. Retailers may also ask customers to produce a valid driver’s license for security reasons, but may not record the personal information contained on the license.
The California Supreme Court’s decision was premised upon California’s strict consumer privacy laws. However, the theory of ZIP codes representing personal or protected information has now spread to New Jersey. Superior Court Judge Stephan Hansbury refused to dismiss a lawsuit against Harmon Stores, Inc. for collecting ZIP code information from its credit card customers. The Court held that New Jersey’s Truth in Consumer Contract, Warranty and Notice Act allowed the plaintiffs to assert a claim for violation of N.J.S.A. 56:11-17, which provides:
No person which accepts a credit card for a consumer transaction shall require the credit card holder, as a condition of using a credit card in completing the consumer transaction, to provide for recordation on the credit card transaction form or any other form, any personal identification information that is not required by the issuer to complete the credit card transaction, including, but not limited to, the credit card holder’s address or telephone number, or both; provided, however, that the credit card holder’s telephone number may be required on a credit card transaction form if the credit card transaction is one for which the credit card issuer does not require authorization. (emphasis added)
It appears that the New Jersey Superior Court, like the California Supreme Court, considers ZIP code information to represent protected “personal identification information.” As a general matter, the ZIP code information is not required by the credit card company. As the New Jersey case is in its infancy, we do not yet know the results or full repercussions.
While it is likely that the Harmon Stores case will be appealed at some point (if it does not settle), its very existence creates new uncertainty amongst New Jersey consumers and merchants alike. For consumers, Judge Hansbury’s opinion suggests that the consumer can refuse to provide his or her ZIP code information when engaging in a live transaction (as opposed to online transactions or, like in California, when using an automated machine to charge a transaction). Of course, it is also possible that refusing to provide ZIP code information could simply result in the merchant demanding that you produce a driver’s license.
Merchants, on the other hand, should be sure to have a valid justification for seeking a customer’s ZIP code information in connection with any credit card transaction. Merely seeking it for marketing purposes will not suffice. Alternatively, merchants can be clear in seeking the ZIP code information that providing the information is completely voluntary. However, engaging in such a practice presents its own pitfalls and could create new confusion or a public relations nightmare.
As privacy-related litigation and consumer’s concerns about their privacy rights increase, one thing is becoming abundantly clear: now is the time for businesses to proactively use consumer privacy protection as a marketing tool to distinguish the business from its competitors.
“Putting Privacy First” was originally published in the August 2011 edition of TechNews.
Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.
As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.
So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.
As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.
The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.
A recent data breach demonstrates some relevant concerns. Last week a large marketing firm announced that numerous email addresses and possibly names and addresses of customers of some of its large clients (including banks) were compromised. Some might say email addresses: “No big deal.” Certainly, in and of themselves, email addresses probably don’t qualify as protected personal data under most, if not all, state data breach laws. However, the fallout from the breach has proven somewhat concerning, at least on a reputational front. Numerous articles, blogs, and comments have shown up citing the potential for increased phishing attacks. More importantly, this breach may increase the potential that “spear-phishing” attacks will be successful. Spear-phishing occurs when the bad guys have accurate personal data that they know is attributable to a specific business; thus, they can send a customer an email with specific information engendering a much higher likelihood of confidence that the email is genuine, allowing the bad guys to potentially gain additional information needed to do some damage.
Blindly reading laws, rules, or written industry standards and designing programs solely to meet defined requirements won’t always get a business where it needs to be. Obviously, legal requirements must be interpreted and followed. However, more than that, a thoughtful approach by those who think about privacy and security implications is desirable.
For that matter, the same ideas apply to the way in which a business deals with a breach. For example, if email addresses, street addresses, and names are stolen, and there is a concern surrounding “spear-phishing,” it might not be such a great idea for the compromised business to send out notifications via email asking someone to “click-here” for more information (Note: The author has no information that this was, or was not, done in the actual case). In such a scenario, the business might want to discourage customers from replying to email messages (the exact vector of the phishing attack).
Moral: Be careful about making arbitrary decisions based upon the perceived sensitivity attributed to the type of information without thinking it through.
New Laws Place Restrictions and Limits on After Sale Data Passes and Negative Option Marketing
On December 29, 2010, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law. This new law places restrictions and limits on after sale “data passes” and “negative option” marketing through Internet sales. Senator John D. (Jay) Rockfeller, IV Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation originally introduced the Bill, ultimately becoming this law, in May after the Senate conducted hearings into the practices of Affinion, Vertrue, and Webloyalty. The Committee published information about the objectionable practices. The New York Attorney General’s Office had also opened an investigation against these companies resulting in multi-million dollar settlements.
In a nutshell, these third-parties were offering various membership clubs to users of e-commerce sites. Typically, when a user of an e-commerce site completed an online purchase, that user would be re-directed to join a membership discount club for promotions, rebates, and the like. The user never had to re-enter his or her credit card, because the card information was passed off from the e-commerce site where the user just completed a transaction. Many users apparently did not understand that their credit cards would be charged, since they did not need to re-enter credit card data at the membership club registration. The clubs then typically offered a free trial period after which the user’s credit card would be charged if they did not cancel the membership. If not cancelled, the club operator placed recurring monthly charges to the user’s credit card. In general, the process of interpreting silence as acceptance or automatically charging the user unless they cancelled is a “negative option” sale.
The law prohibits an initial e-commerce vendor from passing-off a user’s credit card information to a third-party in a post-transaction sale for the purposes of that post-transaction third-party’s sale of goods or services to the user.
The law makes it unlawful for a post-transaction third-party seller to charge or attempt to charge a user’s credit or debit card, or bank or other financial account for an Internet sale, unless:
(1) before obtaining the consumer’s billing information, the post-transaction third party seller has clearly and conspicuously disclosed to the consumer all material terms of the transaction, including: (A) a description of the goods or services being offered; (B) the fact that the post-transaction third party seller is not affiliated with the initial merchant, which may include disclosure of the name of the post-transaction third party in a manner that clearly differentiates the post transaction third party seller from the initial merchant; and, (C) the cost of such goods or services; and, (2) the post-transaction third party seller has received the express informed consent for the charge from the consumer whose credit card, debit card, bank account, or other financial account will be charged by: (A) obtaining from the consumer— (i) the full account number of the account to be charged; and (ii) the consumer’s name and address and a means to contact the consumer; and (B) requiring the consumer to perform an additional affirmative action, such as clicking on a confirmation button or checking a box that indicates the consumer’s consent to be charged the amount disclosed.”
The law also makes “negative option” sales illegal unless the seller:
“(1) provides text that clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information; (2) obtains a consumer’s express informed consent before charging the consumer’s credit card, debit card, bank account, or other financial account for products or services through such transaction; and (3) provides simple mechanisms for a consumer to stop recurring charges from being placed on the consumer’s credit card, debit card, bank account, or other financial account.”
The law gives the Federal Trade Commission enforcement authority, and also allows state attorneys general to enforce the law, with the remedies and penalties available under the Federal Trade Commission Act.
There has been some confusion generated in online content about this law. Apparently, some are concerned that the law absolutely prevents any post-transaction up-selling, even if it were done by the first-party website where the user made the initial purchase.
However, the law defines a “post-transaction third party seller’’ as one who:
“(A) sells, or offers for sale, any good or service on the Internet; (B) solicits the purchase of such goods or services on the Internet through an initial merchant after the consumer has initiated a transaction with the initial merchant; and (C) is not: (i) the initial merchant; (ii) a subsidiary or corporate affiliate of the initial merchant; or (iii) a successor of an entity described in clause (i) or (ii).”
Thus, it seems fairly clear that an “initial merchant” is not prevented from post-transaction marketing, but is clearly prevented from passing the financial data allowing the charging of the user to another entity. Nevertheless, if e-commerce vendors are cross-selling through any non-subsidiary or corporate affiliate strategic alliances, they should ensure that data passes are not made, and the entity to which the user is referred complies with all transparency obligations. All should note the requirements on “negative option” sales.