How to comply with E-Commerce Laws and Regulations

Online Business

Setting up your business on the Internet can be a lucrative way to attract customers, expand your market and increase sales. View free Online E-Commerce Course to learn how to build a website and manage an online business. For the most part, the steps to starting an online business are the same as starting any business. However, doing business online comes with additional legal and financial considerations, particularly in the areas of privacy, security, copyright, and taxation.

Rules and regulations for conducting e-commerce apply mainly to online retailers and other business that perform consumer transactions by collecting customer data. However, even if you do not sell anything online, laws covering digital rights and online advertising may still apply to you.

The Federal Trade Commission (FTC) is the primary federal agency regulating e-commerce activities, including use of commercial e-mails, online advertising and consumer privacy. FTC's E-Commerce Guide provides an overview of e-commerce rules and regulations.

The following topics provide further information on how to comply with laws and regulations related to e-commerce.

• Privacy and Security

  Most businesses collect and retain sensitive personal information from their customers and employees such as names, addresses, social security numbers, credit card numbers and other account numbers. Protecting personal information not only makes good business sense, it can also help you avoid legal problems. Depending on the type of data you are collecting, and who you are collecting it from, you may be subject to federal and state privacy laws. This guide explains which privacy laws apply to your business and how to comply with them.

  • Overview of Privacy Laws

    It is becoming commonplace for companies, particularly online businesses, to post privacy policies that describe how consumers' personal information is collected, used, shared, and secured. While not required by law, creating a privacy policy is important if you want people to buy your products, particularly if you involved in e-commerce. A privacy policy is not just lip service to your customers. You need to make sure your business follows the policy by implementing reasonable security measures to protect your customer's data. Failure to follow your business' own privacy policy can result in costly legal fees.

    Using its authority under The Federal Trade Commission Act, which prohibits unfair or deceptive practices, the Federal Trade Commission (FTC), enforces companies' privacy policies about how they collect, use and secure consumers' personal information. The FTC provides the following resources the help you develop privacy policies that take reasonable steps to secure your customer' data:

    • Federal Trade Commission : Privacy Initiatives
      This comprehensive guide to privacy laws explains the importance protecting and securing personal information. It includes guidance for businesses, which explains how to comply with privacy laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Children's Online Privacy Protection Act.
    • Protection Personal Information : A Guide for Businesses
      Practical advice for protecting and securing sensitive, personal information.

      Identity Theft - Business Owner's Responsibilities

      If one of your customers or employees is a victim of identity theft as a result of personal information you collected, you are required to provide information that assists the victim. The following resources explain the business owner's responsibilities, and provide practical advice on how to protect personal information against identity theft.

      • Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft
        If one of your customers is the victim of identity theft as result of personal information your business has collected, you are required by the Fair Credit Reporting Act to provide a free copy of the transaction records (e.g. a credit application) relating the theft.
      • Business Guide to Fighting Identity Theft
        Includes wide range of educational materials that can serve as practical tools to help you educate your employees, constituents and/or members about identity theft and data security.
      • Guidance for Protecting Consumer Identity
        This document offers guidance for businesses about information compromise and the risk of identity theft.
        
      • Information Compromise and the Risk of Identity Theft : Guidance for Your Business
        Provides steps should you take and whom should you contact if your customers' personal information is compromised.
        
      • Onguard Online
        Provides tips on how to guard against Internet fraud, how to secure your computer and protect your personal information.

  Using Consumer Credit Reports

  The Fair Credit Reporting Act regulates the collection, dissemination and use of consumer credit information. If your businesses uses credit reports to extend credit to your customers; as a pre-employment check for potential employers; or furnishes customer information to credit reporting agencies, there are rules and regulations you must follow to ensure privacy of credit information.

  • Using Consumer Credit Reports : What Employers Need to Know
    As an employer, you may use consumer reports when you hire new employees and when you evaluate employees for promotion, reassignment, and retention as long as you comply with the Fair Credit Reporting Act.
  • Credit Reports : What Information Providers Need to Know
    Provides guidance that business reporting consumer credit information to credit reporting agencies must follow under the Fair Credit Reporting Act.
  • Using Consumer Credit Reports : What Insurers Need to Know
    Insurance providers using consumer credit reports to underwrite insurance policies and to screen high-risk applicants must comply with privacy regulations under the Fair Credit Reporting Act.
    
  • Using Consumer Credit Reports : What Landlords Need to Know
    Fact sheet for landlords using consumer and credit reports to evaluate rental applications.
  • Disposing of Consumer Report Information? New Rule Tells How
    In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a new federal rule is requiring businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.

    Privacy Laws for Financial Companies

    The Gramm-Leach-Bliley (GLB) Act protects consumers' personal financial information held by financial institutions, including band non-bank companies engaged in consumer loans, mortgages, tax preparation and returns, debt collection, credit counseling, and related businesses that deal with personal financing. There are three principal parts to the GLB's privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions enforced by the Federal Trade Commission.

    The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution's information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

    The Safeguards Rule, enforced by the Federal Trade Commission, requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information.

    Pretexting is the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. This law also prohibits the knowing solicitation of others to engage in pretexting.

    The following resources provide information and assistance for businesses engaged in banking and consumer finance activities:

    • Gramm-Leach Bliley Act : An Overview
      Provides an overview of the Gramm-Leach-Bliley Act, which includes provisions to protect consumers. personal financial information held by financial institutions. This guide discussed three principal parts to the Act's privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
    • How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act
      This guide is aimed at giving small business owners a detailed information to help them comply with the Privacy Rule's requirements for protecting consumer financial information. It was written for businesses that provide financial products or services to individuals for personal, family, or household use.
    • Financial Institutions and Customer Information : Complying with the Safeguards Rule
      The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of customer data including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.

    The Federal Financial Institutions Examination Council (FFIEC)'s Authentication in an Internet Banking Environment describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using online products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations.

  • Children's Online Privacy

    The Children's Online Privacy Protection Act (COPPA) requires businesses to follow specific rules and regulations when collecting online data from children. The Rule applies to any commercial website or online service directed toward or collecting information from children under the age of 13.

    The Federal Trade Commission offers several publications providing guidance to online businesses writing a COPPA compliant policy.

    • Children's Online Privacy Protection Rule : How to Comply
      The Federal Trade Commission staff prepared this guide to help you comply with the new requirements for protecting children's privacy online and understand the FTC's enforcement authority.
      
    • Children's Online Privacy Protection Rule : Drafting a COPPA Compliant Policy
      Provides guidance to online business on writing a COPPA compliant policy.
      
    • Children's Online Privacy Protection Rule : Questions and Answers
      These FAQs are intended to supplement the compliance materials available on the FTC's website.
    • Children' Privacy Checklist
      Provides a COPPA checklist for website owners. .

      Computer and Information Security

      When consumers open an account, register to receive information or purchase a product from your business, they entrust their personal information to you, believing that you will take steps to protect their information. Threats to the security of information are varied - from computer hackers to disgruntled employees to simple carelessness. Protecting your computer systems with the latest security software is only part of the process of securing your customers' and your company's data. You need to take additional steps that protect information stored in these systems from falling into the wrong hands.

      The following resources provide guidance to help your business develop an overall information security plan, that not only protects your computers, but information your company collects and stores.

      • FBI Services for Businesses
        The Federal Bureau of Investigation offers assistance to businesses in the areas of employee background investigation, antitrust investigation, trade secret and intellectual property protection, cyberspace patrol, economic espionage, and anti-terrorism.
      • Cyber Security Guides and Tips
        The Dept. of Homeland Security provides these guides and current awareness alerts to help businesses secure their computers and networks, and to avoid malicious attacks from hackers and viruses.
        
      • Securing Your Server : Shut the Door on Spam
        This fact sheet covers quick, easy, and no- or low-cost steps business can take to protect your computer systems from misuse.
        
      • Security Check : Reducing Risks to your Computer Systems
        Brief fact sheet about designing secure computer systems and safeguarding against hackers.

    Collecting Sales Taxes Over the Internet

    If you a run business with a physical storefront, collecting sales tax is pretty straightforward: you charge your customers the sales tax required by the jurisdiction where your business is located. So, if you operate a retail store in Nashville, Tennessee, you collect both state and local sales taxes from customers buying merchandise at your store.

    Now, suppose you start selling your products online. Does mean you charge them the same sales taxes on those coming into your store? It depends.

    If your business has a physical presence in a state, such as a store, office or warehouse, you must collect applicable state and local sales tax from your customers. If you do not have a presence in a particular state, you are not required to collect sales taxes. In legal terms, this physical presence is known as a "nexus." Each state defines nexus differently, but all agree that if you have store or office of some sort, a nexus exists. If you are uncertain, whether or not your business qualifies as a physical presence, contact your state's revenue agency. If you do not have a physical presence in a state, you are not required to collect sales taxes from customers in that state.

    This rule is based on a 1992 Supreme Court ruling (Quill v. North Dakota, 504 U.S. 298, (1992)) in which the justices ruled that states cannot require mail-order businesses, and by extension, online retailers to collect sales tax unless they have a physical presence in the state. The Court reasoned that forcing sellers to comply with over 7,500 tax jurisdictions was too complex for sellers to manage, and would put a strain on interstate commerce.

    Keep in mind that not every state and locality has a sales tax. Alaska, Delaware, Hawaii, Montana, New Hampshire and Oregon do not have a sales tax. In addition, most states have tax exemptions on certain items, such as food or clothing. If you are charging sales tax, you need be familiar with applicable rates.

    Determining which sales tax to charge can be a challenge. Many online retailers use online shopping cart services to handle their sales transactions. Several of these services are programmed to calculate sales tax rates for you

    International Online Sales
    

    Selling your products online allows for immediate entry into the global marketplace. However, shipping your product overseas presents a few challenges if have little experience with taxes, duties, customs laws, and consumer protection issues involved with international commerce. If you are just getting started, the following resources will help understand legal and regulatory requirements when shipping overseas:

    • Export.gov - E-Commerce Toolbox
      This site brings together information and resources the U.S. Department of Commerce and other U.S. government agencies offer to U.S. businesses interested in using the Internet to export their products.
    • Electronic Commerce: Selling Internationally - A Guide for Business
      As members of the Organization for Economic Cooperation and Development, the United States and 28 other countries have signed on to new guidelines that help protect consumer information on the Internet.
    • Small Business Guide to Import/Export
      Business.gov provides general guidance on how to comply with federal export and import regulations

    Certain types of merchandise are restricted for export such as nuclear, chemical, various electronics, computer, and telecommunications / information security equipment. These are subject to the Department of Commerce Bureau of Industry and Security's Export Administration Regulations Requirement.

    Online Advertising Law

    An old cartoon in the New Yorker showed two dogs in front of a computer, and had the caption "On the Internet, Nobody Knows You're a Dog." The inherent anonymity of the Internet has fostered a number of shady advertising and marketing practices, such as unsolicited e-mail spam. Over the past decade, federal and state governments have passed additional advertising laws that protect consumer privacy and ensure fair and truthful advertising practices online. If you plan to advertise online -- whether you're buying ads on search engines or direct marketing through e-mail -- you'll need to understand some basic rules.

    • Advertising and Marketing on the Internet : Rules of the Road
      Discusses the applicability of federal advertising laws to Internet advertising and marketing.
    • Dot Com Disclosures : Information about Online Advertising
      This fact sheet describes information businesses should consider as they develop online ads to ensure that they comply with the law.
    • CAN-SPAM Act : Requirements for Businesses
      The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. Commercial e-mail messages must include notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender. CAN-SPAM also prohibits falsification of transmission information and deceptive subject headings. The Act creates criminal prohibitions against those who knowingly transmit spam through others' computers without authorization. Also, the Federal Trade Commission may pursue individuals who knowingly hire others to send deceptive spam.
    • "Remove Me" Responses and Responsibilities
      Claims that you make in any advertisement for your products or services, including those sent by email, must be truthful. This means that you must honor any promises you make to remove consumers from email mailing lists.

    Digital Rights

    Personal data is not the only thing protected on the Internet. Digital works, including text, movies, music and art are copyrighted and protected via the Digital Millennium Copyright Act (DMCA). The DMCA offers a number of protections for information published to the Internet, as well as other forms of electronic information. Among its many provisions, the DMCA

    • Limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet. However, service providers, are expected to, upon notification, remove material from its web sites that appear to constitute copyright infringement.
    • Limits liability of non-profit education institutions for copyright infringement by faculty members or graduate students.
    • Makes it a crime to circumvent anti-piracy measures built into most commercial software. However, reverse engineering of copyright protection devices, is permitted to conduct encryption research, assess product interoperability, and test computer security systems.
    • Provides exemptions from anti-circumvention provisions for non-profit libraries, archives, and educational institutions solely for the purpose of making a good faith determination as to whether they wish to obtain authorized access to the work.
      
    • Outlaws the manufacture, sale, or distribution of devices used to illegally copy software.
    • Requires that "webcasters" pay licensing fees to record companies.