Saturday, November 15, 2014

One More Reason to Handle Consumer Electronic Consents Correctly

From time to time, clients balk when I describe the components of an effective consumer consent to an electronic transaction. They say "I've seen lots of other websites, and they don't require this."

They are correct, in part. Most websites have deficient disclosures and consent language. Most of the time, it does not result in anything catastrophic. That does not make it legal...or smart.

One aspect of consumer electronic transactions that people question most often is affirmative consent. They ask whether it is truly necessary to provide detailed disclosures and obtain affirmative consent from consumers when entering into agreements through electronic means. Affirmative consent means that the consumer expressly agrees to the terms, or "opts in." An example of affirmative consent is the following:
"By clicking the button labelled 'Accept' below, you agree to the terms and conditions of this Agreement and acknowledge that you have read and understand the disclosures provided above."
Most businesses would generally prefer negative consent, or "opt out." An example of negative consent is the following:
"By using this website, you are agreeing to the terms of these Terms and Conditions."
Obviously, getting "negative" consent is easier and cheaper than getting affirmative consent.

However, the (federal) E-SIGN Act and the (state) Uniform Electronic Transaction Act require that if any other statute, regulation, or rule requires that a consumer be given a document or disclosure in writing, then in order to for a consumer to effectively agree to receive it in electronic format, the consumer must affirmatively consent after having been given very specific disclosures. In some circumstances, it may be difficult to identify a specific law requiring a written disclosure in connection with the contemplated transaction. However, there are a number of disclosure requirements contained within the millions of pages of law affecting consumer transactions. Just because you can't think of one off the top of your head doesn't mean none exist. For this reason, I almost always advise my clients to obtain affirmative consent from consumers for online agreements.

In this post, I'm going to give you a real-world example of a situation in which obtaining a proper consumer electronic consent could save a lot of money.

ABC Corp. (fictional) sells products and services to consumers in North Carolina through its website and the telephone. It has collected information from tens of thousands of consumers over the past few years, and stores that information on its database on its own server. Included in the information are the consumers' credit card numbers (so that regular customers will not have to provide all of their information with every order). The credit card numbers are not encrypted on the database. ABC Corp. becomes aware of an incident of unauthorized access to its database. Customer information likely has been accessed, and the available information indicates that the person who accessed the information has nefarious intent.

Under North Carolina law, ABC Corp. is obligated to notify each consumer of the data security breach. The North Carolina Identity Theft Protection Act says that ABC Corp. can notify the consumers via email only if the consumer's consent has been properly obtained in accordance with the E-SIGN Act. If ABC Corp. has records of consumers' email addresses, but has not obtained the proper consent to provide subsequent legally-mandated notices by email, ABC Corp. cannot provide the notice by email. Instead, the Identity Theft Protection Act requires that the notice be provided by mail (if mailing addresses are available). Thererfore, because ABC Corp. has failed to obtain consumer consent in the proper way at the outset, the cost of responding to a subsequent data security breach will be tens of thousands of dollars more as a result printing and postage alone. 

This is just one example of the many ways in which handling consumer consent correctly at the start of a relationship with the consumer can pay off later.