In today’s digital world, consumers can manage all sorts of personal financial activities online. This includes everyday transactions like shopping and banking and more specialized online financial activities like gambling, charitable giving and online auctions. To protect the growing number of consumers who are active online, federal lawmakers have developed laws and policies designed to help ensure the safety of consumer transactions in e-commerce. Without these legal protections, consumers would be subject to scams, fraud and other illicit activities that put their personal finances and privacy at risk.
This module discusses legislation that addresses consumer protection and combats internet and computer fraud. The analysis begins with an overview of the development of e-commerce consumer protection laws in the U.S., highlighting the origins of the growing field of online consumer rights. Next, we’ll dig into the more recent federal laws developed to address common online consumer issues, including unsolicited emails, and legal protections afforded to online retail shoppers. Following this more specific analysis, the discussion turns to the regulatory system that helps ensure federal online consumer protection laws are properly enforced.
Development of U.S. E-Commerce Consumer Protection Laws
By the 1980’s, Congress became concerned with the lack of law enforcement directives for internet crimes. While telecommunications fraud statutes often extended to e-commerce communications, there was a need for new laws addressing computer-related crimes and frauds. In 1986, Congress enacted the Computer Fraud and Abuse Act, a law that prohibits anyone from accessing a computer or computer network without the owner’s consent.[1] This early law criminalized hacking, cybertheft and destruction of private and classified information, and it penalized the theft of property in which a computer was used.
The Computer Fraud and Abuse Act continues to maintain its relevance in combating e-commerce fraud. In fact, Congress has amended the Act several times to address the growing sophistication of cybercriminals. As amended, the Act criminalizes even the mere threat of damaging another person’s computer equipment, stealing computer data, publicly disseminating stolen data and refusing to repair damage the offender caused to one’s computer, such as through ransomware. Moreover, under certain circumstances, the law permits victims of computer fraud the right to bring civil actions against offenders for injunctive and compensatory relief.[2]
Many of the existing consumer protection laws that apply specifically to internet transactions were developed from laws regulating commercial activity by telephone. The prevention of telephone-based fraud remains an important law enforcement prerogative. In fact, the most prevalent complaint the Federal Communications Commission receives from consumers is that of unwanted, unsolicited telephone calls.[3]
The most significant regulations for businesses who advertise by phone apply to those who practice robocalling. Robocalling is the use of an automated telephone dialing system that employs prerecorded voice messages or other artificial means.[4] While there are some legitimate uses for robocalling, such as advocacy for political candidates or charitable organizations, more often, it is used as a means to perpetrate a scam, such as fraudulently obtaining one’s personal information to commit identity theft.[5] In response to the potential consumer protection issues raised by the practice, Congress enacted the Telephone Consumer Protection Act of 1991.[6]
Among other things, the Telephone Consumer Protection Act requires entities who regularly make commercial or solicitation calls to maintain do not call lists. In 2003, Congress updated the Act to establish a national do not call registry. This amendment also required telemarketers to “scrub” their telephone number databases of any numbers included on the national list.[7] Additionally, the Act requires a robocaller to identify the organization that is calling and provide its telephone number and address.[8] The Act was again modified in 2012 to require telemarketers to obtain written consent from consumers prior to robocalling them and to close loopholes allowed by broad exemptions in the prior law. The amendments also required telemarketers to provide automated, interactive ‘opt-out’ mechanisms that consumers can use to immediately tell telemarketers to stop calling.[9] In 2017, the Federal Communications Commission adopted rules that allowed telephone companies to preemptively block calls they believe to be fraudulent. These numbers are targeted because they are either invalid – meaning that they use non-existent area codes, do not belong to a service provider or are not currently in use – or seem to be unable to make outgoing calls.[10]
Federal Laws Regulating Unsolicited Emails, SPAM, and Spyware
As email became more and more popular after the turn of the millennium, lawmakers became concerned about the potential for consumer abuse in the form of unsolicited or fraudulent emails. In 2003, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, more commonly referred to as the CAN-SPAM Act.[11] This law represents a progression in the development of federal e-commerce consumer protection laws, which had previously focused on telephone calls and the nearly obsolete fax machine.
The CAN-SPAM Act addresses e-mails sent as commercial advertisements or promotions of commercial products or services. Every business that sends unsolicited or commercial emails should be aware of the law’s requirements. First, CAN-SPAM prohibits emails from including false or misleading subject headings. The law also requires the subject line to be accurate and the message to be clearly identified. Additionally, CAN-SPAM requires the sender to include its postal address in the subject matter and notify recipients of their ability to opt out of future emails. The law requires the sender to honor those opt-out requests within ten days of receipt and it includes a prohibition against charging recipients for the service.
CAN-SPAM also prohibits the sale or transfer of a recipient’s email address, subject to limited exemptions. Finally, the law prohibits organizations from avoiding compliance with the law. For example, a company that is selling a product but uses a third-party to promote that product via email remains legally responsible for the actions of the third party. CAN-SPAN’s broad set of anti-fraud policies are designed to punish and deter consumer abuse perpetrated via email. The law provides for strict penalties for statutory violations, including fines of over $40,000 per violation.[12]
CAN-SPAM also differentiates between commercial content and transactional content. To determine an email’s primary purpose under the law, regulators look from the perspective of a reasonable consumer looking at the subject line of an unsolicited email. If the recipient would likely interpret the subject line to indicate that the message contains a commercial advertisement or promotion, then the email is considered to be commercial in nature. An email is transactional in nature, on the other hand, if the content of the email message pertains to a transaction a consumer made with an organization, such as a product warranty, recall or similar required notice; concerns changes in terms of agreements or provides account balance information; concerns an employment arrangement; or provides good or services that the consumer has already authorized. Transactional emails are exempt from CAN-SPAM’s main restrictions.[13]
Another important law protecting consumers online is the Undertaking Spam, Spyware, and Fraud Enforcement with Enforcers Beyond Borders Act of 2006,[14] more commonly known as the SAFE WEB Act. SAFE WEB’s primary purpose is to “fight spam, spyware, and Internet fraud and deception.”[15] The law represents an expansion of the policies already established by the Computer Fraud and Abuse act and the CAN-SPAM Act. Whereas other acts focused primarily on addressing consumer fraud on a national level, the SAFE WEB Act targeted global fraud issues to protect American consumers.[16]
SAFE WEB offers important consumer safeguards relevant to spyware, spam, and other internet attacks, which represent a growing global concern. In 2004, regulators received over 860,000 complaints regarding spam, spyware, and internet fraud. By 2014, this figure tripled to well over 2.5 million complaints.[17] These figures provide convincing support for increased legislative and regulatory measures combating internet fraud. To help address the issue, the SAFE WEB Act expands the FTC’s discretion in combating international computer fraud targeting United States citizens. For example, the SAFE WEB Act permits the Federal Trade Commission to share its confidential data with foreign law enforcement agencies. This allows the agencies to cooperate with foreign law enforcement officials to help curb internet activity supporting international fraud. This cooperation allows for more comprehensive policing of international illegal activity and incentives other countries into sharing reciprocal information.[18]
Online Retail Consumer Protections
These laws all protect some aspect of online consumer activity. Laws have been placed on the books addressing unauthorized access of consumer financial information, hacking and computer fraud and commercial advertisements made via email. Another important area is the laws and regulations addressing online retail customers.
To create additional protections for consumers purchasing goods online, Congress passed the Restore Online Shoppers’ Confidence Act, also known as ROSCA, in 2010.[19] ROSCA fills gaps in the growing field of online consumer protection. For example, the law regulates a practice known as data pass, which occurs when an online shopper makes a purchase with an initial merchant, but that merchant then uses a third party to process the payment. Without regulation, this opens the door for the third party to sell the customer’s data, making a profit off of the unknowing consumer’s personal information. ROSCA prohibits the practice of data passing to prevent the sale of personal retail consumer information.
In addition, ROSCA imposes requirements on negative option features. According to the Federal Trade Commission, a negative option feature is an offer to sell goods or services that includes a provision that makes the customer’s silence or failure to affirmatively reject the goods or services an acceptance of the offer.[20] Companies offering negative options often rely on consumers either forgetting or not realizing that they’re being perpetually billed. That’s because negative option features are often employed when a company offers a customer a free service or product, but at the time of registration, requires the customer to include credit or debit card information. Then, the consumer becomes enrolled in a subscription plan or membership.[21]
ROSCA does not make negative option features illegal. Rather, the law requires online sellers to ensure that consumers who sign up for subscription plans intend to enter into such agreement. Therefore, ROSCA prohibits a company from initiating a negative option plan unless it clearly and conspicuously discloses all material terms of the transaction before the consumer submits billing information. The company must also obtain a consumer’s informed consent before charging his or her account, and the law requires simple mechanisms for consumers to prevent unwanted recurring charges.[22] Like the suite of other federal online consumer protection laws, ROSCA imposes hefty civil penalties for anyone found to be in violation of the law. A ROSCA penalty can be as much as $16,000 per violation, in addition to any restitution payments and/or equitable relief required to make the victimized consumers whole again.[23]
Administrative Regulations to Protect Online Consumers
The two executive agencies most involved with protecting online consumers are the Federal Trade Commission, or the “FTC” and the Federal Communications Commission, or “FCC.” Although those two agencies initially worked independently, over time it became necessary to clarify jurisdictional issues with regard to each agency’s roles and responsibilities regarding consumer complaints against internet service providers. As a result, in December 2017 the agencies entered into a formal agreement to coordinate their efforts to more effectively protect online consumers. The agreement reflects updated policy initiatives that have been put into place under the Trump administration, particularly regarding the changes in online consumer protection that have followed the new leadership’s change in policy.[24] Most notably, this includes the “Restoring Internet Freedom” Order that effectively repealed the Obama administration’s broad net neutrality policy.[25] In general, the Trump-era Federal Communications Commission has taken a “light touch” to regulating internet commerce, preferring instead to encourage creativity and innovation by relaxing the previously expansive requirements regarding internet consumer access.[26]
The FCC and the FTC share regulatory jurisdiction in the field of online consumer protection, and the memorandum of understanding executed by the agencies divides roles and responsibilities broadly based upon the agencies’ respective mandates. For example, the FCC is required to promote transparency in online communications pursuant to the requirements of its mandate. To fulfill this requirement, the agency will monitor online markets and identify obstructive business practices. This includes reviewing informal consumer complaints and performing investigations where appropriate. The FTC, on the other hand, is responsible for preventing unfair and deceptive business practices in online commerce. So, while the FCC is responsible for reviewing consumer complaints, the FTC investigates and takes enforcement actions against those alleged to have violated applicable laws.[27]
In addition to the cooperative enforcement of online consumer protection laws established by the agreement between the FCC and FTC, the FTC imposes a suite of rules specifically addressing consumer protection in online advertisements. Most significantly, the FTC issued its Dot Com Disclosures guidance document in 2000 after an opportunity for public comment and notice. [28] While the details of the FTC’s policies outlined in the Dot Com disclosures are discussed in greater detail in Module 1, it bears mentioning that the agency closely regulates the form and content of information distributed in e-commerce to prevent unfair or deceptive practices.
To ensure consumers are properly protected from false or misleading ads, the FTC requires all advertisements and other commercial communications made online to be clear and conspicuous. This standard is subjective, meaning that the question of whether a particular piece of information shared in e-commerce is deceptive or unfair rests on the perspective of the customer. Representations about commercial products or services made online must be easily visible and understandable to the average consumer, and the agency places the responsibility on the website owner to ensure that consumers receive fair and accurate information.[29]
Conclusion
Over the past thirty years, federal laws have developed a robust suite of online consumer protections that regulate common activities that consumers undertake online. However, these laws must constantly be revisited to address the growing needs of online consumers. With the perpetual advancement in technology, it is unclear how effective the existing online consumer protection law enforcement scheme will be in coming years. As a result, Congress may need to consider crafting additional laws to address consumer privacy concerns and ongoing consumer fraud issues.
[1] 18 U.S.C. § 1030.
[2] H. Marshall Jarrett & Michael W. Bailie, Prosecuting Computer Crimes, Dep’t of Justice Office of Legal Education, https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf.
[3] Will Wiquist, FCC Adopts Rules to Allow Phone Companies to Proactively Block Illegal Robocalls, Fed. Communications Comm. (Nov. 16, 2017), https://www.fcc.gov/document/fcc-adopts-rules-help-block-illegal-robocalls.
[4] Telemarketing and Robocalls, Federal Communications Commission, (Mar. 27, 2018), https://www.fcc.gov/general/telemarketing-and-robocalls.
[5] Consumer Help Center, Fed. Communications Comm., https://www.fcc.gov/consumers/guides/stop-unwanted-calls-and-textsrob; Robocalls, Fed. Trade Comm., https://www.consumer.ftc.gov/articles/0259-robocalls#what_is.
[6] Telephone Consumer Protection Act, 47 U.S.C. § 227.
[7] Fed. Communications Comm., FCC 03-153 Report and Order (June 26, 2003).
[8] 47 U.S.C. § 277.
[9] Telemarketing & Robocalls, Federal Communications Comm., (Mar. 27, 2018) https://www.fcc.gov/general/telemarketing-and-robocalls; Will Wiquist, FCC Adopts Rules to Allow Phone Companies to Proactively Block Illegal Robocalls, Fed. Communications Comm. (Nov. 16, 2017), https://www.fcc.gov/document/fcc-adopts-rules-help-block-illegal-robocalls.
[10] Will Wiquist, FCC Adopts Rules to Allow Phone Companies to Proactively Block Illegal Robocalls, Fed. Communications Comm. (Nov. 16, 2017), https://www.fcc.gov/document/fcc-adopts-rules-help-block-illegal-robocalls.
[11] 15 U.S.C. § 103.
[12] CAN-SPAM Act: A Compliance Guide for Business, Fed. Trade Comm., (Sept. 2009), https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business.
[13] Id.
[14] Undertaking Spam, Spyware, and Fraud Enforcement withEnforcers beyond Borders Act of 2006, Pub. L. 109-455, 120 Stat. 3372 (codified as amended at 15 U.S.C. §§ 41 et seq.).
[15] Summary of the USA SAFE WEB Act, Fed. Trade Comm., https://www.ftc.gov/sites/default/files/documents/reports/us-safe-web-act-protecting-consumers-spam-spyware-and-fraud-legislative-recommendation-congress/summary-us-safe-web-act.pdf (last visited June 24, 2018).
[16] Fed. Trade Comm., The US SAFE WEB Act: Protecting Consumers from Spam, Spyware, and Fraud: A Legislative Recommendation to Congress, 1-3 (June 2005), https://www.ftc.gov/sites/default/files/documents/reports/us-safe-web-act-protecting-consumers-spam-spyware-and-fraud-legislative-recommendation-congress/ussafeweb.pdf.
[17] John Wihbey, Rates of Fraud, Identity Theft and Scams Across the 50 States: FTC Data, Journalist’s Resource (Mar. 4, 2015), https://journalistsresource.org/studies/government/criminal-justice/united-states-rates-fraud-identity-theft-federal-trade-commission.
[18] An Explanation of the Provisions of the US SAFE WEB Act, Federal Trade Commission, https://www.ftc.gov/sites/default/files/documents/reports/us-safe-web-act-protecting-consumers-spam-spyware-and-fraud-legislative-recommendation-congress/explanation-provisions-us-safe-web-act.pdf (last visited June 24, 2018).
[19] 15 U.S.C. §§ 8401-8405 (2010)
[20] Benjamin Stein, FTC Brings First Actions Under the Restore Online Shopper’s Confidence Act, InfoLaw Group, LLP (Nov. 3, 2014) https://www.infolawgroup.com/2014/11/articles/ftc/ftc-brings-first-actions-under-the-restore-online-shoppers-confidence-act/.
[21] Marlys Harris, The FTC Says “No” to a Negative Option Fraud, CBS News (Dec. 8, 2009) https://www.cbsnews.com/news/the-ftc-says-no-to-a-negative-option-fraud.
[22] 15 U.S.C. § 8403(1)-(3).
[23] Negative Options: FTC Alleges ROSCA Violations for First Time, Frankfurt Kurnit Klein & Seltz, (Oct. 28, 2014), http://fkks.com/news/static_print/negative-options-ftc-alleges-rosca-violations-for-first-time.
[24]Memorandum of Understanding Regarding Restoring Internet Freedom, Fed. Communications Comm. & Fed. Trade Comm. (Dec. 14, 2017), https://www.ftc.gov/system/files/documents/cooperation_agreements/fcc_fcc_mou_internet_freedom_order_1214_final_0.pdf (last visited July 18, 2018).
[25] Mark Wigfeld, FCC Acts to Restore Internet Freedom, Federal Communications Comm., (Dec. 14, 2017), https://www.fcc.gov/document/fcc-releases-restoring-internet-freedom-order.
[26] Id.; Federal Communications Commission, Restoring Internet Freedom: Declaratory Ruling, Report, and Order, WC Docket No. 11-108 (Nov. 22, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-347927A1.pdf.
[27] Memorandum of Understanding Regarding Restoring Internet Freedom, Fed. Communications Comm. & Fed. Trade Comm. (Dec. 14, 2017), https://www.ftc.gov/system/files/documents/cooperation_agreements/fcc_fcc_mou_internet_freedom_order_1214_final_0.pdf (last visited July 18, 2018).
[28] 15 U.S.C. §§ 41-58; Federal Trade Commission, .com Disclosures: How To Make Effective Disclosures in Digital Advertising, 1-2 (March 2013), https://www.ftc.gov/system/files/documents/plain-language/bus41-dot-com-disclosures-information-about-online-advertising.pdf.
[29] Id. at 4.