August 24, 2011
Surfers know that the waves come in periodic sets which are separated by relative lulls. Beginning in 2009, there’s been a tsunami of new and complex legal regulations for websites that also seems to be coming in sets.
We’re now in a temporary lull, but the next set is on the horizon, and rapidly heading our way. If you’re an Internet marketer or operate a SaaS business, now is a good time to quickly review the following checklist of the set just passed, as well as the set that’s fast approaching. The objective should be to gain an understanding sufficient to comply with the new laws and regulations – and to stay above water, so to speak.
The Set Just Passed
These new laws and regulations are having a significant impact on online businesses.
* HIPAA HITECH – passed as part of the American Recovery and Reinvestment Act of 2009 (also known as the “Stimulus”), HIPAA HITECH extended the Privacy and Security Provisions of HIPAA to Business Associates of Covered Entities. The effect is that now service providers which provide SaaS, software, or data processing or consulting services to healthcare organizations will be treated as Covered Entities for purposes of privacy and security, with the corresponding increase in liability exposure.
* Red Flags Rule – requires covered businesses to implement a written Identity Theft Prevention Program designed to detect the warning signs of identity theft (the so-called “red flags”). The Federal Trade Commission (FTC) extended several deadlines for compliance in 2009 and 2010 due to difficulties in defining “creditor” for purposes of covered businesses. The final ruling effective December 18, 2010 amended the definition of “creditor” by excluding businesses that advance funds for expenses incidental to a service provided by the creditor to that person. So, businesses that provide online services (SaaS) are exempt, but businesses that advance funds for the purchase of products appear to be covered.
* FTC Guides Governing Endorsements and Testimonials – effective December 1, 2009, the Guides stated the FTC’s enforcement policy affecting marketers and bloggers that post testimonials of others or provide testimonials for the products or services of others. The Guides require disclosure of “material connections with advertisers such as the receipt of compensation or freebies, or face fines
of up to $11,000.
* FTC Preliminary Staff Report – issued in December, 2010, the FTC stated its criticism of “long, incomprehensible privacy policies that consumers typically do not read, let alone understand”. The FTC stated its policy that “although privacy policies may not be a good tool for communicating with most consumers, they still could play an important role in promoting transparency, accountability, and
competition among companies on privacy issues – but only if the policies are clear, concise, and easy-to-read.” In its Staff Report, the FTC (i) also added a new category of information that’s now subject to privacy regulation which includes location data, and (ii) announced its future requirements for “Privacy By Design.”
* Restore Online Shopper’s Confidence Act (ROSCA) – effective December 29, 2010, ROSCA regulates online Data Pass Transactions and Negative Option Billing Plans. Data Pass Transactions include the passing of billing information from one online merchant to another for purposes of upsells. A Negative Option Billing Plan includes recurring billing arrangements that are found in many membership websites.
* FTC Policy on Behavioral Advertising – on March 14, 2011, the FTC announced a settlement regarding behavioral advertising, and along with it, the FTC’s policy requiring prior notice and an opt out mechanism for the collection of data online for behavioral advertising purposes. Behavioral ads are based on anonymous data collected on how a user’s computer browses the Internet, including websites visited, searches made, and content read. This data is used to create a behavioral profile that is linked to a specific demographic.
The Set That’s Fast Approaching
The following proposed laws and regulations, if passed, will have a huge impact on online businesses.
* The Commercial Privacy Bill of Rights – announced on April On April 12, 2011 by Senators John Kerry (D-Mass) and John McCain (R-Ariz). The proposed legislation could become the first federal privacy and data security law. If passed into law, The Commercial Privacy Bill of Rights will have a huge impact on how personal information is collected, used, and shared online.
* The Do-Not-Track Online Act of 2011 – announced on May 9, 2011 by Senator Jay Rockefeller (D-WV). The proposed legislation would allow consumers to opt out from having their personal information tracked by online advertisers. This legislation is consistent with the FTC’s policy on behavioral advertising listed above.
* The Data Security and Breach Notification Act – announced on June 15, 2011 by Senators Jay Rockefeller (D-WV) and Senator Mark Pryor (D-Ark). The proposed legislation would mandate that online collectors of personal information implement certain baseline data security standards. The proposed legislation would also pre-empt the confusing patchwork quilt of data breach notification laws passed by forty six states, the District of Columbia, and U.S. Territories.
* The Location Privacy Protection Act – announced on June 15, 2011 by Senators Al Franken (D-Minn) and Richard Blumenthal (D-Ct). The proposed legislation would require that companies obtain user’s consent prior to collecting or sharing location data. This legislation is consistent with the FTC’s policy on location data announced in the FTC Preliminary Staff Report listed above.
It’s abundantly clear that beginning in 2009, we’re now in a new era of legal regulations for websites. The old “wild, wild, west” days prior to 2009 are long gone.
And it’s not too much of a stretch to view these laws and regulations, both existing and proposed, in terms of a tsunami. After such a long period where legal regulations for websites were few and far between, it’s now difficult for many online businesses to comply and to stay above water with the increased pace of regulation.
The price for failure to comply in terms of liability exposure can be very high.
Leading SaaS attorney Chip Cooper has automated the process of drafting Website Legal Documents with his Website Legal Forms Generator. Use his free online tool — Website Documents Determinator — to determine which legal documents your website really needs. Discover how quick, easy, and cost-effective it is to draft your website legal forms at http://www.digicontracts.com/whichdocs/.