Nexus is something that many retailers have, but do not know they have. Some people compare nexus to leprosy. I don’t think it’s quite that bad, but it can be a hidden disease. Prudent direct marketers are careful not to trip the nexus wire.

– Martin Eisenstein

Marty I. Eisenstein is a senior partner with Brann Isaacson, a Maine law firm specializing in direct marketing law.

Brann Isaacson’s client list reads like a Who’s Who of direct marketing, and Marty and the firm are actively involved in the direct marketing industry and the legislative arena.

Marty shared his thoughts on tax law, gift cards, and legal best practices for online retailers in this podcast.

Listen to podcast: Martin_Eisenstein_Interview_2008-1-11.mp3

Marty Eistenstein Transcript

Alan Rimm-Kaufman: Hello everyone. This is Alan Rimm-Kaufman and I’m delighted to be here today with Marty I. Eisenstein of Brann & Isaacson. Hello, Marty!

Marty Eisenstein: Hi, Alan! How are you?

Alan: Great. And it’s it’s wonderful to speak to you.

Marty: Good to speak to you too.

Alan: You are an attorney at a law firm that specializes in direct marketing.

Marty: That’s correct. Direct marketing and online law. We used to call it “catalog law”, but you know now that we’ve moved into the 21st century we’ve gone even past “direct marketing law” and we now call it “online law”.

Alan: Online marketing. Online retailing. Both are very young businesses. Are there many federal statutes that cover these areas?

Marty: Not many. Most of the laws that have been adopted in this area have been by the state legislatures. There are three specific federal statutes and laws that apply in this area. And then there are a hodge podge of state laws and that’s what makes the area very challenging law.

The three federal laws are one which is a federal statute that was adopted three or four years ago called the Can-Spam act. It governs outgoing email, when you can send an email and what you need to put in the email. CAN-SPAM is a federal statute.

The second federal law is a regulation under the Federal Trade Commission Act. And it applies – it was formerly called the Mail Order Rule, but it applies to online marketers as well. And it relates to what promises you make in terms of shipping items to purchasers of products. So it basically says that if you commit by advertisement or by your telephone conversation to a specific shipping date, you need to follow that shipping date. And if you don’t commit to a specific shipping date, the default is a 30-day shipping date. In the event you’re not able to meet either one of those dates then you need to notify your customer.

And depending upon the circumstances, you either need the customer’s affirmative permission to continue to supply the item to the customer or you need – or you can go on the principle of opt out. Namely that unless you hear from the customer you can continue to ship the merchandise.

Alan: And the third?

Marty: The third statute is called FACTA. It applies not only to online marketers, it applies to any retail merchant that receives credit cards and payment. And obviously online marketers will receive, in large part, credit cards. What that law basically says is that you cannot — that is, a direct marketer cannot — record the last five digits of the credit card number. It’s a couple year old law and it’s a not very well known law, but there have been a number of lawsuits against online marketers including against some larger companies for failure to observe that law.

Alan: In short, the Can-Spam law governs email practices. The Mail Order Rule governs getting shipments out the door quickly. And the FACTA law governs how to store credit card data.

Marty: That’s correct.

Alan: Which poses the greatest risk to an online retailer?

Marty: I would say that each one of those has equal prominence.

But I would think that the more prominent issue for an online marketer are the state laws and in particularly the privacy laws. An increasingly hot area in the law is privacy.

And you get those regs from both FACTA, but more importantly from the state laws. I would say is you would follow the guide of the squeakiest wheel, which usually tends to be the California laws.

Alan: So, retailers should pay particular attention to the state statutes?

Marty: Yes.

Alan: But earlier in the call you described the state regs as a hodge-podge of rules.

Marty: Yes, that’s correct.

Alan: If you simply follow the California laws, is that enough? Or do the different state laws disagree?

Marty: Well, following the California law is often the safest course.

Unfortunately, you’re not absolutely safe unfortunately because even though you may be operating an online site from your location in pristine Maine, you would still be subject to the state laws if you sell and market to customers in those states. Yes, the states laws are a hodge podge, and they can be divergent.

But what has tended to happen is that California has been out front as it is in other areas, but particularly online marketing. California has been setting the standard. And by and large the other states have followed suit, but not precisely.

There are some states, for example in the privacy area, that not only require some of the California standards, but set a separate standard that basically requires adopting a privacy policy. Which most online marketers have — but that is not necessarily required by every states’ laws. But there are a couple states that do require having a privacy policy.

Alan:Suppose you took all the areas of the law that relate to online retailing — those might include email, fair trade, pricing, intellectual property, trademark, tax, and so forth — and you wrote those down for each of the states. That is, tallying laws from all states in all areas, how many laws need an online retailer be aware of and abide by? Is this a list of 10, of 50, of 100?

Marty: No, I would say it’s more – it’s greater than 10 and probably fewer than 50 different areas is what you’re talking about.

But, yes, there are a multitude of laws that a company would have to contend with.

For example, the interesting question tax law. There are 6,000 jurisdictions that have state taxes. Now an online marketer is required to comply with each state’s tax laws. That means file tax returns, collect sales tax in the case of a sales tax, and to remit the sales tax if it has nexus with a particular state or jurisdiction.

When I said 6,000 jurisdictions, that includes both states and local jurisdictions like municipalities and counties. The same standard of nexus is not true for other areas of the law like privacy, like consumer protection. We’ll talk a little bit about consumer protection in a bit.

Alan: Can you define “nexus” for folks that aren’t familiar with it?

Marty: Sure. It’s a lawyer’s Latin term that has been over abused. But basically “nexus” means having a physical presence in a state, which would consist of maintaining employees in a state, owning property in a state, and/or having a sales representative try to develop sales of products in your state.

Alan:If I’m an online retailer in states where I have property, employees, sales agents, and so forth, then I have established nexus. What does establishing nexus mean to me?

Marty: If you establish nexus, not only do you have to satisfy all the other standards that we talked about, privacy etcetera, but you are required to, on all your taxable products which is basically everything that you sell into a state with certain exceptions, you’re required to collect tax.

And if you don’t collect the sales tax, the state’s sales tax and local taxes as well, if you don’t collect the sales tax the direct marketer –- the online marketer is liable for that tax.

And if you don’t remit the tax you’re then liable for interest and penalty.

And penalties can be up to 25% of the amount of the tax.

So an online marketer gets a double whammy in effect by the fact that it’s a tax that really is not the marketer’s, the retailer’s responsibility. It’s customer’s responsibility. It’s just acting as an agent for the state. So if it doesn’t collect the tax it’s responsible not only for the tax, but also for interest on that tax as if it never had – as if it had that money and was using that money, which it was not.

And then it’s responsible to boot, to add insult to injury, for — sometimes for penalties.

Alan: Is nexus something that a retailer files for?

Marty: No, it’s not.

It’s something that many retailers have, but they do not know they have. Some people have analogized it to leprosy. I don’t think it’s quite that bad. But it can be a hidden disease. So a prudent direct marketer – the largest – the larger of my clients who are online marketers, direct marketers internally look at and make sure that they do not trip the nexus trip wire.

Alan: I worked in the catalog industry. There, nexus was a very common concept. We took many careful legal steps to avoid creating nexus.

Are the catalogers just too conservative, or are the online folk just insane?

Marty: I don’t think it’s either one. I don’t think catalogers are too onservative because I think almost all catalogers also have an online presence of course. You know in these days of multi-stage retailing of course they have an online presence. Everyone has an online presence.

But I think what happens is for the start-ups for the online marketers who only have a presence online, they believe that they don’t have bricks and mortars in a state.

They don’t have a retail store so they mistakenly think they’re safe.

As for the online retailers, I don’t think there’s a phenomenon of them being crazy or cowboys. I just don’t think they’re looking closely enough at the potential implications of some of the their activities.

Because there are a number of activities that you would say – one would say, “Well, I don’t know. I don’t really have an employee in this state.” But you may, for example, have an affiliate relationship where you have – you commission out to independent contractors sales leads. That potentially can create nexus.

Alan: There’s a whole affiliate marketing industry where retailers pay affiliates nationwide on a percentage of sales they deliver. Would that be creating nexus in every state?

Marty: It could.

Yes, it could. That’s why structure and looking at the relationships is very important.
The legal details of the affiliate contract matter a great deal. Structuring those contracts so that they don’t create nexus is is an important thing that an online marketer should do.

Alan: Earlier you had said that there might be between 10 and 50 state statutes that a nationwide direct retailer must be aware of.

Marty: That was on a state-by-state basis. There are well over 100, if you count all the statutes from all of the states.

Alan: Yes, all laws from all states, that’s the disturbingly large number I was referring to. So with hundreds of these statutes with which an online retailer is obligated to comply, how does a retailer know even what all these laws are?

Marty: Not to toot my horn, but we’ve compiled a list of state statues in the privacy area. And I’ve complied a list of state statutes for gift cards.

(I realize you haven’t asked me about gift cards yet.)

Compiling and maintaining the lists is difficult, but not impossible. Generally you have to stay aware of those laws. A retailer could either employee people or reach out to consultants to help you and navigate the overwhelming number of state and federal statutes governing online retail.

Alan: You’ve graciously before offered to share those lists with the folks on our blog.

Marty: Yes. I think I’ve also shared also with you the privacy standards. I also have a schematic on the CAN-Spam law, and on the mail order rule. Your listeners may want to look at those as well.

Alan: Fantastic. Thank you for allowing us to share those. They’re an amazingly valuable resource for online retailers.

Marty: Sure.

Alan: You mentioned gift cards. Gift cards are a huge business these days. That industry is growing like a weed. What are the legal issues around gift cards?

Marty: Gift card laws basically fall into three categories of statutes.

One is the Federal Trade Commission statute, which is a general standard that prohibits unfair and deceptive trade practices. And the FTC has entered this – the fray against KMart and other companies of that nature – not of that nature, but against other companies because they failed to conspicuously disclose that there was a, for example a dormancy fee. And a dormancy fee means if there’s a fee – if you don’t activate, don’t use the gift card within a certain time period. So you have the Federal Trade Commission statute and enforcement as one category.

You have a second category, which are the state laws, a list of which I’ve made available to you previously. And those laws say some states prohibit expiration dates of gift cards. Some states prohibit these kind of dormancy fees. In other words fees for not using the gift card. California is a good example of states that – California and Massachusetts are good examples of states that prohibit expiration dates.

There are a couple state statutes – I think Florida is one — which prohibit dormancy fees. But these statutes are being adopted with increasing regularity. So dormancy fees are really a treacherous area.

I update my Gift Card regulation chart every month. I have to, because the state laws are changing so rapidly.

And then there’s a third area, which is the hidden tax. States don’t call it a tax of course. They call it a “revenue enhancer”. They call it “protection for the consumer.” Those are called the escheat laws.

About 26 states escheat. What the escheat laws require is the turnover of the face value or some portion of the face value of the gift certificate to the state if the proper owner of the gift certificate or gift card does not redeem the gift card within a specific time frame. They’re a monetary obligation on the part of a holder such as a seller of gift cards to certain states.

They’re complicated; the full details are well beyond this conversation.

Alan: So the “breakage”, as the unused portion of gift cards is commonly caller — the breakage doesn’t just go to the retailer?

Marty: No, no. Breakage doesn’t go to the retailer. It does in certain states, but then there’s a whole series of tests that the retailer should be aware of to make sure it does not get into a bind.

The problem with the escheat laws is that there is generally not a statute of limitations.

And again like tax laws, the escaheat laws have an interest provision and a penalty provision in the event of failure to remit the proper amount due to a state.

The small spot of good news in the gift card area is that there are 25 states or so that do not escheat gift cards.

Alan: The complexity of all these regs are staggering. The state-by-state differences are staggering. And the fact that these laws are so dynamic — that you have to update your tables of state laws each month — that level of change is also staggering.

Marty: Well, we have a great staff at Brann & Isaacson.

Again it sounds like I’m selling Brann & Isaacson, and I probably am. But we do have a great staff and we monitor all the publications, all the state laws. And they help me update my charts. I’m not doing that myself, but I have great people who work for me who do that important work.

Alan: Online retail is certainly a specialized area of the law. Retailers selling online and direct have to pay attention to the all the applicable state and federal laws to avoid getting in hot water.

Marty: Absolutely.

I’ve been consulted by other lawyers in the field who say these details are beyond them. It really literally is a minefield. Other lawyers turn to our firm or to other professionals who specialize in this complicated area.

Alan: General counsel may not be skilled in all these nuances.

Marty: Correct.

Alan: As we wrapping up this most interesting conversation, what is your top legal tip for online retailers?

Marty: The most important tip I can offer is “be proactive.”

By that, I mean retailers mst establish sound policies and practices — protocols I call them — review whatever policies and protocols regularly.

Why establish and review protocols? Several reasons.

One reason is that in case of a lawsuit the first thing that is asked for, whether it’s a government agency or a class action, is what are your polices and protocol.

The second reason is that the retailer, unbeknownst to senior management, may have a policy and protocol that is directly violative – that directly violates the law or that it may not even be following. A lot of companies, for example, adopted privacy policies. They basically copied another company’s privacy policy.

Alan: Very common.

Marty: But then they do not then follow those privacy policies. Well, there are a number of court cases that have said those privacy policies are really a contract with your customer. And if you don’t abide by that contract, your customer has a real right to sue you for what is called breach of contract. And then you might be exposed to many levels of damages.

The sharks out there are not only the federal and state governments, but there are class action lawyers who bring lawsuits based upon small damages to individuals. But when those small damages to individuals are aggregated, they become very large very fast. And many of the state statutes permit the recovery of attorney’s fees.

So the exposures are very large and the potential publicity and time that it takes management to address these issues after the fact makes a lot of – dictates that companies really should be looking at this before the fact.

That’s why I advise, “be proactive.”

Alan: A little up front work can mitigate a lot of risk down the road if something later goes awry.

Marty: Exactly right. “An ounce of prevention.”

Alan: I appreciate your generous advice and your tips on the complexities of our legal systems, state and Federal.

Marty: Thanks Alan.

Listen to podcast: Martin_Eisenstein_Interview_2008-1-11.mp3

Our ISPs see every click we make. Many ISPs then turn around and sell our clickstreams to aggregators like ComScore. We don’t have an option to opt-out, and the ISPs don’t share the revenue from those clickstreams with the clickstream creators (us). Similarly, the credit organizations see our every transaction, sell those data for profit, and have remarkably sloppy data practices to boot. I once found a car loan listed on my credit report that wasn’t mine. The bureau removed that at my request, but the casualness of their match logic was sobering. Others have noted this sloppiness too. In a comment on Tim’s post, Don Marti of Linuxworld suggests one reason privacy debates focus on Google is because they can actually collect data accurately: We hold Google to a higher standard because they’re smarter and have better data. Equifax customers can buy a credit report on me that says I started working two years before I was born.

The realization that other orgs know more about us than Google clearly doesn’t absolve Google from scrutiny of how and why it collects data. Rather, this realization should motivate citizens (and our goverment officials) to drag these other organizations (ISPs, credit card companies, credit bureaus, etc) as well into the bright lights of the modern privacy debate.

Google announced Wednesday it will soon overhaul its privacy policies. Under the new plan, all information logged from its search users — keyword queries, IP addresses, and cookies, for example — will be scrubbed after 18 to 24 months. Privacy advocates say it’s a step in the right direction, but see much room for improvement.

From the civil liberties perspective, it is comforting that perhaps Battelle was wrong and clickstreams won’t be eternal.

From an IT perspective, this will certainly save them some disk space.

From a direct marketing perspective, 18 months is plenty — purging stale data will have no material impact on any of Google’s targeting efforts.

From the FAQ:

Mailinator is a new kind of mail service. The biggest difference is that you don’t need to sign up. Any email name you can think of already exists at mailinator.com. Want goofy@mailinator.com? You got it. Want to be SuperGuy? BoohaBunny? FredInPants? No problem. They all already exist just waiting for you to check your mail.

How is Mailinator different than some other webemail? Say, Yahoo or Hotmail?
The differences are easy to list. Generally speaking however, anything you can do with Mailinator, you can do with some other email service. In fact, you can do more with other services since they allow you to actually send email (Mailinator only receives).
The differences are:

* Mailinator requires no sign-up. To create an account, you send email to it.
* You cannot send email from Mailinator.
* Your Mailinator email inbox can be read by anyone. There is no security here. If they know (or guess) your email address, they can read your mail.
* You cannot delete your email here (you can’t reply either), after a few hours, all email is auto-deleted.
* Mailinator has strict rules about what kind of email it receives. Plain text is best, html is filtered. Images, attachments, and fancy stuff is simply stripped away.

Why is this good?
In our internet world, you often need an email address NOW. Signing up for an email service takes time - that’s probably ok for most emailing, but every now and then you need a quick email address for just a single email. After that you don’t care what happens to it. Given that such disposable email is ready at your disposal, you can avoid giving out your real email address when you are afraid of getting spammed. Instead, make up any address @mailinator.com on the spot and go check it later.

(And following up on yesterday’s post on scaling databases, Paul Tyma provides a blog post describing the architecture and strategies he uses to handle 4.5 to 6 million emails per day on a single server. And not a big server at that: “A very modest machine with an AMD 2Ghz Athlon processor, 1G of ram (although it really doesn’t need that much), and a boring (IDE , low-performance) 80G hard drive. And honestly, its really not very busy at all.”)

Kudos to Paul for providing such a useful service, and also for sharing his strategies for accomplishing it on such modest hardware.

Sutton found 11% of the sites in his study have vulnerabilities. That’s a huge rate.

Sutton’s tool was written to assess the scope of the problem. The same technique could modified, easily, to attack sites en masse using an automated ‘bot. Scary.

Talk to your web folks. Make sure they’ve secured your site. Don’t allow any raw inputs to reach your database (SQL injection) or your HTML output (cross-site scripting).

Preventing SQL injection isn’t all that hard — yet 11% of sites haven’t got it right yet.

Only a tiny number of the 658,000 affected individuals suffered any real damage to their privacy. But a small number did. If I were the judge, I’d throw out the class in favor of individual suits.

According to TechCrunch,

The suit also demands that user search data not appear in further search results and not be used for commercial or non-commercial purposes. Though this is probably an unrealistic demand to make, it’s also a broad attack on many of the most interesting developments on the web today.

Search data not be used for commercial purposes? Too much money at stake — never going to happen.

The greatest impact this suit will have is increasing the awareness of search logs in the public consciousness. Look for evening news and 60 Minutes coverage on web privacy over the next few weeks.

Check out the AOL logs for yourself: data.aolsearchlogs.com

Amusing cartoon from xkcd about the logs:

(not making light of a very serious issue — just find the cartoon funny)

Their answer: yes, there seem to be such signatures.

What’s a web browsing signature? And why would online retailers care?

Just people have characteristic walking patterns, typing patterns, and online writing patterns, it turns out that people have characteristic ways of using websites.

And just as aggregate patterns of whorls and arches in a fingerprint can sometimes identify an individual, statistical measures of web usage can sometimes identify an online visitor.

In short: even if someone doesn’t log in to your website, you might be able to make a good guess as to who they are using the time they visit, how long the stay, and how they click across your site.

You could think of a click signature as a “soft cookie” — you’re not 100% sure of the user’s identity, but you might have a reasonable guess.

Not this year, however. Today’s sites aren’t advanced enough, and clickstreams aren’t well enough understood (or even stored) well enough. But maybe, some day, in far distant future — I’d predict about five years out — sites might be able to make reasonable guesses as who is using the site, just by their browsing behavior.

How could browsing signatures help an online retailer?

• Fraud. P & Y propose this approach as a way to detect possible fraud: “Alert! The user in session 12345 is attempting to check out using Jane Smith’s credit card, yet the user in session 12345 uses our site very differently than Jane Smith typically does. Investigate for potential credit card fraud.”
• Targeting. P & Y don’t discuss targeting, but a site could guess the identity of an anonymous visitor to serve relevant offers: “Alert! The user in session 67890 has similiar click sigature to Bob Jones, who often buys fishing equipment from us — serve fishing ads across site to this user.”
• Multichannel tracking. P & Y don’t discuss multichannel, but a retailer might be able to use click signatures to match anonymous web visits back to known web users, and then back to offline marketing: “Attention! The user in session 456789 has a similar click signature to Mary Thompson, to whom we just mailed a fall test catalog. That version seems particularly effective at getting older women to our site.”

Again, this software doesn’t really exist yet, and won’t for a long time.

I predict the major search engines will be among the first to try out this technology: “The searcher in session 33445566 isn’t logged in but we suspect it is 123456789 so we can maximize paid click revenue by favoring ads in categories 998, 776, and 554.”

It will be several more years before click signatures become standard enough to be rolled into e-commerce platforms for retailers. (mod_softcookie standard in Apache 4.0, perhaps?)

Still, it is intriguing to consider the long-term implications of click signatures. And these patterns remind us, yet again, how non-anonymous our web sessions are.

(Tech details: Using ComScore panel data, P & Y looked 50,000 users interacting with the “5 most popular online sites” in the data across all of 2004. P & Y characterized each session using five crude metrics — session duration, session pages viewed, session average time per page, session start time of day, session start day of week — and characterized each user-site pair by the mean, median, variance, min and max of these metrics. P & Y used binary search to find the best level of aggregation for a j4.8 classification tree. What I find most amazing is that this very crude five metric approach worked at all — I’d've thought they’d need much more detailed click stream information to get any predictive power.)

Microsoft OLE DB Provider for SQL Server error ‘80004005′
The log file for database ‘xxx’ is full. Back up the transaction log for the database to free up some log space.
/XXXX.asp, line 2208

Try as much as possible never to send internal error messages to the browser. Write them to internal logs. Such public disclosures can provide hackers helpful information to attack your site. More on web security for online retailers

Question: Could an increased interest/awareness of online privacy harm online advertisers by hampering their ability to track? (We online advertisers aren’t Big Brother, we just need to match ad sales to ad cost to buy more of the effective ads and less of the ineffective.)

No, I don’t think so. I believe the overwhelming majority (guess: 99.5% plus) of web users won’t care enough about the privacy issue to change their habits or install anonymizing technology. The only long-term concern would be if future browsers automatically and by default used proxies and cookie blocking for identity obfuscation, and I don’t see that happening any time soon. The greatest impact to online advertisers may be in increased public (mis)perception about tracking and cookies. Good idea to make sure your privacy policy is honest, accurate, non-alarming, and written in plain English.

Regularly flush cookies? Takes too much time. Lose the advantages of logging in? Too inconvenient. No vanity searches? Come on — ego too large. : )

The sensible EFF recommendations are too complicated for the inexperienced web user and too inconvenient for the experienced user.

Only (1) ardent privacy heads and (2) reasonably smart badguys will take the time.
For the majority of us, our online search tracks will be logged in the database of intentions for just about forever…

Idle speculation: I wonder if Brin and Page follow the EFF’s advice?