Electronic commerce law: 2001 developments

In 2001, innovation in technology and business still managed to outpace law reform even though considerable progress was made in rationalizing the law of electronic commerce, and the breakneck pace of change in the economy slowed to a crawl. Just as major issues that for years had created uncertainty were finally addressed with legislation, new issues emerged that defied quick or easy resolution. This Article will provide a brief overview of some of the most important developments in the law governing on-line commercial transactions, including new federal and state legislation in the United States and new European Union (EU) legislation

LAW REFORM EFFORTS

In the last year, new federal and state laws to remove unnecessary obstacles to electronic commerce have gone into effect. At the federal level, the Electronic Signatures in Global and National Commerce Act (E-SIGN) (1) became effective on October 1, 2001

E-SIGN

If E-SIGN largely succeeded in closing one can of worms–namely, the mostly unwarranted degree of concern over the validity of electronic records and signatures-it opened several more that may prove just as difficult to resolve. E-SIGN, like UETA, provides that a record or a signature cannot be denied legal effect merely because it is in electronic form. (5) In addition, both statutes provide that no one can be required to use electronic media. (6) While UETA does not provide specific guidance for determining whether a party has consented to the use of electronic media, some of the most complex provisions of E-SIGN govern the manner in which consent must be given by consumers in order to be valid. Businesses wishing to use electronic media to communicate with consumers must:

* Obtain the consumer’s “affirmative consent” to receive information in electronic form

* inform the consumer whether he or she has the option to enter into this transaction at the time the consumer’s consent is solicited, even if the consumer does not wish to accept electronic communications

* inform the consumer whether the consent is for a single transmission of information or for a series of transmissions that will take place over the course of a relationship

* inform the consumer what the system requirements are for receiving information in electronic form

* take reasonable steps to insure that notwithstanding any apparent consent on the part of the consumer, it really is feasible for the consumer to receive information in electronic form. (14)

If a business subsequently upgrades its system but the consumer does not, creating a risk that the consumer will no longer be able to receive information in electronic form, then the business must again follow all the steps outlined above. (15) Whenever the consumer ceases to be able to receive communications electronically due to obsolescence, the business must not impose any fees on the consumer if he or she withdraws his or her consent to receive electronic communications. (16)

In June 2001, the FTC reported to Congress that although the consent requirements imposed on businesses wishing to use electronic media to communicate with consumers were significant, they were not overly burdensome. (17) This was true in light of the genuine benefits conferred on consumers by the consent requirements, which improve the chances that consumers may understand the practical significance of consenting to the use of electronic media before agreeing to it. The standard is flexible enough to accommodate a wide range of technological and business solutions. For example, the following procedures should all meet the “reasonably demonstrates” standard:

* A business that communicates with its consumer customers by postal mail might include an insert in a mailing asking the customer to send an email requesting future disclosures or statements be sent by email. The business will need to find a way to confirm that the consent to the use of electronic media actually came from the customer, and not an imposter. This might be accomplished by providing each customer with a unique ID number in the postal correspondence that must be included in the email before the consent will be accepted.

* A business that wishes to provide disclosures or statements to its consumer customers using a particular file format, such as a Portable Document Format (PDF) document sent as an email attachment, could send the consumer a test message. The consumer could be required to send back a reply email confirming that she could open the PDF file

* A business that communicates with its consumer customers by postal mail might include an insert in a mailing asking the customer to access its Web site and complete a Web form consenting to receive future disclosures or statements by accessing the Web site in the future. Again, some procedure would have to be devised to screen out requests from imposters.

* A consumer that accesses a Web site to apply for a loan or open an account can be asked to provide consent to receive disclosures or statements by email or Web access in the future.

Another difficult issue raised by E-SIGN is how government agencies that are involved in processing commercial transactions will respond to public demand for regulatory systems that accommodate electronic documents as well as paper ones. While E-SIGN provides that government agencies cannot refuse to accept electronic records or signatures, (18) with regard to documents filed with the agencies, they can decide what standards or formats they will accept. The interpretative regulations cannot impose requirements substantially different from those imposed on records that are not electronic, or unreasonable costs on the acceptance and use of electronic records. (19) In addition, such interpretative regulations must be media neutral and not give greater legal status or effect to use of a specific technology. (20) In September 2000, the Office of Management and Budget (OMB) issued “Guidance on Implementing the Electronic Signatures in Global and National Commerce Act” (21) to explain E-SIGN to federal agencies and to assist them in implementing its requirements. The guidance contains three parts: (i) a short summary of the law

State or federal regulatory agencies may interpret the accuracy and accessibility requirements of E-SIGN section 101(d) in order to set performance standards to assure accuracy, record integrity, and accessibility. (23) In setting these standards, an agency may give greater legal status or effect to use of a specific technology if it would serve an important governmental objective and is substantially related to achieving that objective. (24) An agency cannot require the use of a particular type of software or hardware in such standards, however. (25) Agencies are permitted to require that specific technologies be used in procurement systems set up for the agencies’ own contractual transactions. (26) Agencies may, under very narrow circumstances, even impose paper requirements for record retention under this section. (27) There must be a compelling governmental interest, and the paper requirement must be essential to attaining that interest. (28)

Federal agencies on the front lines of regulating major electronic commerce markets such as the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission have revised dozens of regulations in light of E-SIGN. In November 2000, the Department of Defense, General Services Administration, and NASA proposed revising the Federal Acquisition Regulation to conform to the requirements of E-SIGN. (29) In February 2001, the National Credit Union Administration proposed revising its record preservation requirements to make their compatibility with E-SIGN clear. (30) Around the same time, the Environmental Protection Agency, the Department of Education, the Securities and Exchange Commission, and the Drug Enforcement Administration of the Department of Justice announced their intentions to develop regulatory performance standards to assure (i) accuracy, (ii) record integrity, and (iii) accessibility of electronic records within their respective regulatory purviews in order to meet the requirements of E-SIGN. (31)

The application of E-SIGN to federal agencies is quite clear

The OMB’s Guidance on Implementing E-SIGN suggests in its Appendix A that this may not be an appropriate reading of E-SIGN in light of its legislative history. (34) The congressional record indicates that the definition of “transaction” excludes “governmental” functions from its scope. (35) Congressman John Dingell of Michigan explained the kinds of transactions covered by E-SIGN:

You will note that the definition of “transaction” includes business,
commercial, or consumer affairs. The Conferees specifically rejected
including “governmental” transactions. Members should understand that this
bill will not in any way affect most governmental transactions, such as law
enforcement actions, court actions, issuance of Government grants,
applications for or disbursement of Government benefits, or other
activities that the Government conducts that private actors would not
conduct. Even though some aspects of such governmental transactions (for
example, the Government’s issuance of a check reflecting a Government
benefit) are commercial in nature, they are not covered by this bill
because they are part of a uniquely governmental operation. (36)

In Informal Opinion 2001-3, issued to the Acting Attorney of the County of Westchester, the Office of the Attorney General of New York concurred in the OMB reading of the legislative history and concluded that “E-SIGN probably does not preclude a county recording officer from rejecting a filing submitted for recordation that bears only an electronic signature but lacks an ‘original signature.'” (37) In September 2000, Goodwin, Procter & Hoar issued an opinion to the American Land Title Association, a trade association for the real estate industry, stating that it seemed unlikely that county land recorders would be required to accept electronic real estate filings in light of the lack of any legislative history to support such an interpretation, the magnitude of the impact of such a requirement on the real estate industry, and its inconsistency with the Unfunded Mandates Reform Act of 1995. (38)

UNIFORM LAW COMMISSION

Revised Uniform Commercial Code (U.C.C.) Article 2

The American Law Institute (ALI) approved the 2001 draft of amendments to Article 2 at its annual meeting in May 2001, (39) but the NCCUSL did not approve the draft at its annual meeting in August 2001, making it unclear when a revised Article 2 would be available for consideration by the states. E-SIGN was enacted after the ALI 2000 Annual Meeting, so the 2000 draft of Article 2 had not been revised to take account of it.

E-SIGN [is] applicable to transactions governed by … Article 2, and it
pre-empts a number of inconsistent provisions…. The [2001 draft of
Article 2] retains a few substantive contracting provisions that are beyond
the scope of E-SIGN and a few procedural provisions that are consistent
with E-SIGN. The latter provisions were retained in order to validate
electronic contracts in the small class of transactions to which E-SIGN
does not apply. (40)

Some definitions will be moved from Article 2 to Article 1 and will be revised where necessary to conform to the requirements of E-SIGN: sign (which will include electronic signatures)

The effort to finalize revisions to U.C.C. Article 2 foundered in 1999 due to industry opposition to revisions perceived as either unnecessary and likely to create uncertainty where law is now well settled without adequate justification for the changes, or undesirable because they were more favorable to consumers than the current version of Article 2. (45) During 1999 and 2000, a new reporter and drafting committee developed a new draft for consideration by NCCUSL. (46) Revisions to U.C.C. Article 2 were not finalized in 2000 due in part to unresolved issues regarding the scope of Article 2 to address software transactions and the coordination of the scope of Article 2 and the scope of the Uniform Computer Information Transactions Act. (47) The 2001 draft of amendments to Article 2 is simply silent on this issue, reflecting a continuing lack of consensus.

Uniform Money Services Act

During the height of the Internet bubble, “person-to-person” (P2P) electronic payment services were springing up like weeds. By 2001, most had failed, leaving only a few major players such as PayPal still competing. In light of the instability in the market for this type of service, it would not be surprising for state regulators to declare that P2P Internet payment services are subject to existing laws applicable to check cashers, money transmitters, and currency dealers in an effort to protect consumers. Almost all states have laws governing various forms of nondepository financial-service providers that might also apply to these Internet service providers. These laws at a minimum require that the business obtain a state license before engaging in a regulated nondepository financial service. In addition, many states have established insurance programs and safety-and-soundness standards with which such businesses must comply. (48) There is little uniformity in the types of businesses regulated by state law or in requirements imposed on those businesses. As a result, in 2000, the Uniform Law Commission promulgated the Uniform Money Services Act (formerly referred to as the Non-Depository Providers of Financial Services Act). (49) In 2001, Vermont became the first state to enact this legislation. (50)

The Uniform Money Services Act “provides that a person may not engage in specific regulated activities … unless they hold a qualifying license or are an authorized delegate of a person holding a qualifying license.” (51) The specific regulated activities include money transmission, check cashing, and currency exchange. (52)

Licensing is set up as a three-tiered structure:

if a person is licensed to engage in money transfer services, he or she
can also engage in check cashing and currency exchange without having to
obtain a separate license for that purpose
engage in check cashing, he or she can also engage in currency exchange
(but not money transfers)
exchange, he or she may only engage in currency exchange services. (53)

This model law is expected to expand the scope of most existing state laws in order to place new forms of money-services businesses on a level playing field with more established businesses, such as check cashers or money transmitters, and to create a simpler, more rational framework for the licensing and regulation of such businesses. (54)

Applicants wishing to establish money transmission businesses must disclose certain information, such as any criminal convictions, prior related business history and operations in other states, and material litigation. (55) Money transfer applicants must also satisfy certain security requirements (typically by providing bonds in specified amounts), must meet threshold net worth requirements, and are required to pay statutorily-defined license fees. (56) Applicants also must retain security thresholds for five years past the date of the transaction, and are subject to regular licensure review and renewal (with additional disclosures and fees). (57)

All three categories of licensee are subject to an annual examination by the regulating agency with forty-five days notice. (58) The regulating agency may also examine licensees and delegates without notice where there is reason to believe the licensee or delegate is engaging in an unsafe or unsound practice or has violated the act or regulations adopted under the act. (59) If the regulating agency concludes that an on-site examination is necessary, the licensee shall pay the reasonable costs of that examination. (60) Licensees are required under the act to file material changes in information disclosed in an application within fifteen business days (including any change in control), to file quarterly business update information (names of authorized delegates, responsible persons, and all locations in the state where business is conducted under the license), and to file a report within one business day concerning a bankruptcy, reorganization, or receivership petition, the cancellation or impairment of a bond or other security, the commencement of a proceeding to revoke or suspend its license in any jurisdiction, or a felony charge or conviction against any licensee or any executive officer, manager, director, or authorized delegate of a licensee. (61)

In order to insure that they can meet their obligations to individuals using their services, licensees are required to maintain at all times investments with a market value greater than or equal to the aggregate amount of all outstanding payment instruments, stored value obligations, and transmitted money. (62) The act specifies a list of permissible investments for this purpose, and provides that these investments are held in trust for the benefit of purchasers and holders, even if commingled, in the event of bankruptcy or receivership of the licensee. (63)

Regulating agencies are empowered under the act to suspend and revoke licenses, to issue cease and desist orders, to enter into consent orders, and to assess civil penalties. (64) The act makes it a felony to intentionally make a false statement, misrepresentation, or certification in connection with a record filed or maintained under the act, and provides that it is either a misdemeanor or felony (depending on the amount of compensation earned) for any person to knowingly engage in these regulated activities without a license. (65)

Certain federal regulations may apply to consumer-to-consumer Internet payment services as well. (66) In 1999, the Treasury Department amended its regulations implementing the Bank Secrecy Act (67) to require that check cashers, money transmitters, and currency dealers register themselves and their agents with the government. (68) Unlike the regulations proposed in 1997 by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), these regulations exempt nonbank issuers and sellers of stored-value cards from any registration requirements imposed on money-services businesses. (69) It is unlikely this exemption would cover consumer-to-consumer Internet payment systems. Under the final rule, currency transactions in excess of $10,000 by stored-value issuers and sellers require reporting under the Bank Secrecy Act, and businesses that participate as financial intermediaries in transactions in which stored value is transferred electronically “may … be subject to the rules requiring the maintenance of records for fund transfers of $3,000 or more.” (70)

UNCITRAL MODEL LAW ON ELECTRONIC SIGNATURES

In March 2001, the Working Group completed its work on a Model Law on Electronic Signatures four years after it began the project in 1997. (71) The full commission adopted the Model Law and its associated “Guide to Enactment” at a session held in July 2001. The E-Signatures Model Law was supported by most participants in the UNCITRAL drafting process but was vociferously objected to by some members of the U.S. delegation. (72) Some members of the U.S. delegation believed that the E-Signatures Model Law was based on an outmoded idea of how digital signatures are likely to be used in Internet commerce and thought that the Model Law compounded this shortcoming by mandating risk allocation rules that are counter-intuitive and unproductive. (73) In addition, the E-Signatures Model Law was promulgated by UNCITRAL after developed countries had already passed laws dealing with the same subject matter in quite different ways than the Model Law. Because it is unlikely any developed countries are going to repeal their current laws in order to enact legislation based on the Model Law, the Model Law is unlikely to achieve its objective of harmonizing law in this area. What it is likely to do, however, is encourage developing countries to pass laws that are out of step with actual commercial practice in Internet commerce, further disadvantaging their local businesses that try to compete in the global information economy.

In 2001, the Working Group debated convening new projects that might involve revisions to the Convention on Contracts for International Sales of Goods to deal with cross-border electronic contracts, contracts involving sales or licenses of intangibles such as information or software, and electronic alternatives to negotiable instruments, documents of title, or stock certificates. (74)

EUROPEAN UNION

In 1997, the European Commission announced its intention to create a coherent legal framework within Europe for electronic commerce by the year 2000. (75) By 2001, an Electronic Signatures Directive (76) and an Electronic Money Directive (77) had been enacted by the EU and were to be transposed into member state law by 2001 and 2002 respectively.

Electronic Signature Directive

In the European Union, some member states such as Germany and Italy enacted comprehensive, highly technical laws regulating digital signatures in much the same style as the Utah Digital Signature Act. (78) Other member states, such as the United Kingdom, favored a less regulatory, more technologically neutral approach to the question of electronic signature laws. (79) The EU Commission proposed a directive on the question of electronic signatures to harmonize the law in this area and to prevent barriers to electronic commerce emerging among the member states. (80) In November 1999, the EU enacted the ES Directive which is to be transposed into member state laws by July 2001. (81) The ES Directive will not apply to electronic signatures used exclusively within closed systems, such as internal corporate networks or those whose participants are all drawn from a single industry or trade association, recognizing that private agreements among the interested parties provide an adequate legal framework in those situations. (82)

The ES Directive is an experiment in electronic commerce regulation “lite” by the Commission. The Directive provides that member state governments cannot require certification-service-providers to be licensed prior to offering their services, but encourages the development of voluntary accreditation standards and other forms of self-regulation. (83) The EU and its member states are often characterized in the United States as overly quick to regulate and overly mistrustful of the free market. This provision was designed by the EU Commission to counteract any impulse member states might have to try to control developments in this area too closely. (84) On the one hand, the ES Directive provides that “advanced electronic signatures” based on “qualified certificates” and created by “secure-signatu-recreation devices” will be treated as equivalent to traditional signatures for legal purposes. (85) On the other hand, no member state is permitted to deny legal effect to any form of electronic signature merely because it is not an advanced electronic signature. (86) Four appendices to the directive provide checklists of general requirements that certificates, certificate authorities, secure-signature-creation devices, and secure signature verification must meet in order to create an advanced electronic signature. (87) Member states are permitted to set up regulatory procedures for reviewing whether particular service providers or technologies meet the requirements sketched out in the annexes. (88) The Commission has tried to create a system with enough incentives to motivate private and public organizations to collaborate on developing a framework of standards within which on-line identities can be reliably established.

A basic element of EU electronic commerce policy generally is that consumers will refrain from participating in on-line markets if they do not feel confident they will be treated fairly, so a major objective of the ES Directive is protection of consumers who use electronic signatures in on-line commerce. (89) For example, Annex III, paragraph 1(c) provides that a “secure signature-creation device” must be capable of being reliably protected by the legitimate signatory against the use of others. (90) So if a signature creation device required the use of a private key stored on a hard drive, and member state regulators were not convinced that such a system met the requirement of reliable protection against unauthorized use by others, then signatures created using that technology would not qualify as “advanced electronic signatures” and could not be granted enhanced legal recognition. The ES Directive requires member states to enact laws making certification-service-providers liable for the accuracy of the contents of certificates they issue, although a certification-service-provider may avoid liability by proving it did not act negligently in issuing a certificate. (91) In addition, Annex I to the ES Directive sets out the information that a qualified certificate must contain. (92) In effect, this is a higher standard of liability for certification-service-providers than that imposed by the Utah Digital Signature Act. Under the Utah law, a certification-service-provider could disclose shoddy practices through a CPS and then only be liable if it issued certificates containing inaccurate information if it failed to meet the standard it established for itself in the CPS, or knew the information was capacity The court accepted the reasoning in eBay that the operator of the computer system should not be required to show precisely how much its system capacity was reduced, or that a certain number of customers had been denied the level of service they would have otherwise expected, or that the system had crashed, as a result of the defendant’s interference. (174) If the plaintiff could show that the defendant’s unauthorized access to its system had deprived the owner of any system capacity, that was sufficient, because without the right to block unauthorized access by this defendant, then the system operator would have no way to prevent an ever greater proportion of its system capacity being diverted to unauthorized uses. (175)

The court also held that Register.com was likely to prevail on its civil claim under the CFAA. (176) This is a statute that prohibits accessing a computer without authorization, or exceeding authorized access in order to obtain information from a “protected computer,” or intentionally accessing without authorization a protected computer and then causing damage to that computer. (177) In 1996, the definition of protected computer was expanded to cover any computer used in interstate or foreign commerce or communication. (178) As a result, any computer connected to the Internet is a protected computer and unauthorized access to that computer is subject to civil and criminal liability Damage is defined as impairment to the integrity or availability of data, a program, a system, or information that causes a loss of $5,000. (179) If there were concerns about the lack of balance between the public’s interest in free access to factual information and the Web site operator’s interest in controlling access to its system in the application of the doctrine of trespass to chattels to Internet commerce, the application of the CFAA is even more disturbing because it provides for criminal as well as civil liability for the conduct at issue.

CONSUMER ISSUES

AGREEMENT TO ARBITRATE

The law governing the use of agreements to arbitrate has its roots in crossborder commercial transactions. Merchants engaged in international trade have long been interested in finding a quick, fair dispute resolution system and avoiding litigation in the national courts of a foreign country. Just as with choice of law and forum clauses, traditional hostility of courts to what was once seen as the usurpation of their authority by an agreement among private parties had in large part disappeared by the end of the 20th Century.

The 1958 New York Convention on International Arbitration (180) requires signatories to recognize arbitration agreements, to refer cases to arbitration pursuant to such agreements, and to enforce arbitral awards. As a result, arbitral awards are generally easier to enforce than judicial decisions issued by a foreign court-system. Arbitration agreements are routinely enforced in the context of commercial transactions, but many national legal systems treat as non-arbitrable certain types of disputes that are deemed for public policy reasons to be more suitably adjudicated in courts. Consumer transactions are often among those deemed not suitable for arbitration.

The Federal Arbitration Act of 1925 (FAA) (181) governs written arbitration agreements used in commercial transactions involving interstate commerce. (182) The Supreme Court has recently interpreted “involving commerce” broadly to find that litigation in state court in Alabama had to be stayed pending the outcome of arbitration where the transaction involved interstate commerce. (183) In that case, a homeowner who purchased a “lifetime termite protection plan” from a local office of a multistate business wanted to bring suit in state court claiming the pest control company had breached the agreement, which included an arbitration agreement. The Uniform Arbitration Act of 1956 has been adopted in forty-nine states, (184) so it may be necessary to determine whether an agreement to arbitrate is governed by state or federal law. The Supreme Court has held that if a contract contains an arbitration clause and a choice of law clause pointing to the law of a state that has enacted legislation to regulate arbitration, then the policy of deferring to the choice of the parties points to the application of the state arbitration law. (185) This is so notwithstanding a general policy of promoting the use of arbitration through liberal application of the FAA.

A decade ago, consumer arbitration was almost unknown, but today it is routine for businesses dealing with consumers to include terms in their contracts that require any disputes “arising from or relating to” the transaction to be resolved in binding arbitration. (186) Notwithstanding vigorous criticism from consumer advocates of the enforcement of mandatory pre-dispute arbitration terms in consumer contracts, (187) recent cases, including a Supreme Court case, make the enforcement of these terms more certain.

In Green Tree Financial Corp. v. Randolph, (188) the Supreme Court effectively narrowed the possibility of obtaining an interlocutory appeal of a district court order enforcing an arbitration term, and put obstacles in the way of consumers trying to avoid arbitration on the grounds that the expense of arbitration will in effect deprive the consumer of mandatory consumer protections provided by federal law. (189) Randolph had purchased a manufactured home that was financed by Green Tree

The Supreme Court unanimously upheld the Eleventh Circuit on the interlocutory appeal issue, but narrowed the holding, so that had the district court retained jurisdiction over the case instead of dismissing it, while still ordering the dispute to arbitration, then the appeal would have been improper. (193) This holding clearly indicates how counsel seeking enforcement of arbitration provisions should proceed if there is a court challenge to the enforceability of the arbitration clause: request the district court to retain jurisdiction pending the outcome of the arbitration, something which was routinely granted prior to the Randolph case. In a split decision, five justices held that a party challenging an arbitration clause bore the burden of proof in showing that arbitration costs would be prohibitively high, and ruled against Randolph on this issue. (194) This holding was justified by the fact that there is a liberal federal policy favoring arbitration agreements

The popularity of arbitration clauses in consumer contracts in recent years is due in large part to the ability to prevent class action lawsuits being brought against the contract drafter by requiring aggrieved parties to arbitrate each dispute individually. The Supreme Court did not specifically address the issue of whether depriving a plaintiff of the possibility of obtaining certification to represent a class would constitute grounds to refuse to enforce an arbitration agreement, but it seems unlikely that this argument would prevail in any event. In two recent circuit court cases, this argument has been rejected. (200)

The Magnuson-Moss Warranty-Federal Trade Commission Improvement Act of 1975 (201) and the regulations issued by the Federal Trade Commission implementing those rules, (202) regulate the form and substance of warranties merchants provide to consumers purchasing tangible consumer goods. (203) One provision in the FTC regulations implementing Magnuson-Moss is a prohibition against warrantors representing in any warranty that the decision of the warrantor, service contractor, or any designated third party is binding or final in warranty disputes. (204) This has been interpreted to prevent warrantors from requiring consumers to submit to binding arbitration if the arbitrator is designated by the warrantor alone.

The FAA permits a court to compel arbitration if there is a “written agreement” for arbitration. (205) In In re RealNetworks, Inc., (206) the court expressly held that a click-through agreement, even though RealNetworks had not provided a mechanism for the end user to print or save the terms of the agreement, was nevertheless a “writing” for purposes of the FAA. (207) The holding in this case may be inconsistent with new federal legislation regarding signatures and writings, however. It seems likely therefore that any merchant entering into an agreement with a consumer that includes an arbitration agreement must comply with the consumer protection provisions in section 101(c) of the Electronic Signatures in Global and National Commerce Act of 2000 (E-SIGN), (208) which include ensuring that the consumer can access, print out, and later retrieve the text of an agreement entered into by electronic means. (209) Failure to comply with these consumer protection provisions will mean that the merchant entering into an electronic contract with a consumer has not obtained a “written” agreement, which will render the arbitration provision unenforceable.

INTERNET AUCTIONS

Internet auction sites have enjoyed an explosion in popularity in recent years. Founded in 1995, eBay was the first major auction site to make it possible for individuals to do business with other individuals over the Internet. It remains the largest, with over 29 million users and over 6 million items listed at any given time. (210) As the popularity of the concept continues to grow, however, the number of Internet auction sites set up for individuals is mushrooming. (211) Although the law governing traditional brick-and-mortar auctions is well established, it is unclear how such law will be applied to Internet auction sites. While Internet auction sites have operated for several years with relatively little supervision from government regulators, increasing reports of fraud may make it difficult for regulators to continue to adopt a “hands-off” posture. (212)

Brick-and-mortar auctions are normally regulated by state governments, which frequently require anyone conducting an auction to obtain a license. (213) Leading Internet auction sites do not appear to have obtained licenses from each state or municipal government from whose citizens the site accepts bids. eBay styles itself a “marketplace” or a “community” rather than an auction, (214) but Amazon.com and Yahoo! label their auction sites as “auction.” (215) In May 2000, a French court barred nart.com from accepting bids from French consumers because it failed to use a state-licensed auctioneer and pay French value-added tax. (216) As the number of complaints to state regulators regarding Internet fraud grows, it is unclear whether state regulators will continue to address them under general consumer-fraud statutes, or whether states will begin to require Internet auction sites to obtain licenses.

While U.S. regulators have exercised restraint in pursuing on-line auction sites, it is not clear that foreign regulators will show the same restraint. Yahoo! has been embroiled in litigation with various groups in France since 2000 on the grounds that Nazi memorabilia and Holocaust denial materials were available on its auction site. (217) Yahoo! was sued in France by the Ligue Internationale Contre le Racisme et L’antisemitisme (LICRA) and the Union des Etudiants Juifs de France (UEJF) in Paris in 2000 on the grounds that it was violating French criminal law by disseminating Nazi materials. In May 2000, when the judge in the Tribunal de Grande Instance ordered that Yahoo take steps to block access to individuals in France of Nazi memorabilia, (218) Yahoo! countered that it was not subject to the jurisdiction of the French court and further that it was not possible to ascertain the country of origin of visitors to its sight with sufficient precision to comply with the order. The judge expressed skepticism regarding these claims by Yahoo! because Yahoo! was capable of modifying banner ads so that they appeared in French when visitors from France used the Yahoo! auction site. (219) Yahoo!’s French subsidiary was required to post a notice informing the visitor that trying to access materials that violate French law, such as Nazi memorabilia, would make the visitor liable to prosecution under French criminal law. (220) The French judge then appointed a panel of experts to advise him on the accuracy of Yahoo!’s claims. (221) In November 2000, he received the experts’ report and came to the conclusion that although it might be difficult to be absolutely certain whether a visitor was accessing Yahoo!’s site from France, Yahoo! could use a combination of strategies to determine who was likely to be coming from France and to block their access to materials prohibited by French law. (222) The French experts cited in the report noted that for Internet users in France, it was possible to identify about eighty percent of IP addresses as being assigned to French ISPs

Yahoo! responded by suing LICRA and UEJF in California for a declaratory judgment that the French judge’s order would not be enforceable against it in the United States. In June 2001, the federal district court denied the motion to dismiss for lack of personal jurisdiction against LICRA and UEJF. (228) Yahoo! pointed out that LICRA and UEJF had written cease and desist letters to Yahoo! in California and had made use of U.S. Marshals in California to serve Yahoo! with process in the French court proceeding. Yahoo! claimed there was evidence the French court was biased in its decision, a claim that was certainly given credence by the suppression of parts of Vinton Cerf’s submissions for the experts’ report to the judge.

eBay was twice victorious in California Superior Courts in defending its theory that it is merely a venue, not an active participant, in the process of buying and selling that takes place on its site. In Stoner v. eBay, (229) eBay was found not liable for sales of bootlegged recordings of live music. (230) The plaintiff sought damages based on the California Business and Professions Code Section 17200 (prohibiting unlawful, unfair or fraudulent business practices) (231) based on eBay’s participation in copyright piracy The court found that the immunity provided Internet service providers in the Communications Decency Act (CDA) (232) applied to eBay in this case. (233) In January 2001, a law suit was filed seeking class action status for claims against eBay for purchases of phony sports memorabilia on the site. (234) The suit claimed $100 million in damages based on California Civil Code Section 1739.7 which imposes liability on dealers in autographed materials. (235) Although the judge first certified the class in November 2000, she later dismissed the case on the same CDA immunity grounds as the court in Stoner. (236)

eBay makes an effort to keep objectionable materials off its site, even though it is not possible to review each listing individually With regard to the distribution of consumer products that may be unsafe, eBay maintains a link to the Web site of the Consumer Products Safety Council (CPSC), the federal agency authorized to issue recalls of unsafe consumer products. This permits vendors to check to see if a product has been recalled by the CPSC before trying to sell it on eBay. Following these two victories, eBay began actively monitoring its site for materials that might infringe copyrights in the hope that the CDA immunity would shield it from liability. With regard to copyrighted materials, eBay’s problem lies in the terms of the Digital Millennium Copyright Act (DMCA) (237) safe harbor, which requires that the ISP must not have actual knowledge that material infringes a copyright in order to be sheltered from liability. (238) eBay is at risk of liability for direct or contributory copyright infringement if its monitoring activities create knowledge of infringing activities. In Small Business, Inc. v. Fast-Metal.com, where a purchaser bought three tons of scrap metal that turned out not to be of the quality represented on the site, the case was dismissed because the auction house had immunity under the Communications Decency Act. (239)

In order to combat these forms of fraud, Internet auction sites may offer insurance to their subscribers or an escrow service where the purchase price can be held until the purchaser confirms receipt of the goods. (240) Internet sites also encourage users to be vigilant and to learn as much as possible about the party on the other side of the transaction, and they provide rating systems to permit parties with no prior relationship and no contact outside the Internet auction site to assess each other’s bona fides. (241) Relatively few individuals use escrow services, however, apparently deeming them too troublesome or expensive. (242) Rating services are vulnerable to manipulation by unscrupulous parties who may register under multiple aliases and submit positive feedback on themselves, or may work with other individuals to inflate each other’s positive ratings. Criminal prosecutions as well as civil enforcement actions have been brought in rare instances where there was strong proof of wrongdoing and the responsible individual could actually be found, (243) but in most cases consumer-protection agencies can do little to help consumers. In cases where the problem is not necessarily fraud, but one of the transacting parties is dissatisfied with the outcome, dispute-resolution services may be offered by the Internet auction site.

INFORMATION PRIVACY

Advances in database-management technologies and the falling prices of communications and information-processing technologies are contributing to an explosion in business applications for data. If the data describes individuals, then privacy law may limit some of the uses a business may make of that data. American privacy law is a complex patchwork of statutes and common-law doctrines which in aggregate have a surprisingly narrow scope when applied to the business use of persona/information. This is in marked contrast with the privacy law of the European Union, which grants very general, very strong privacy rights to individuals in the EU. (244)

COPPA AND GLB ACT

Because the United States lacks any general right of privacy for personal information, there have been few restrictions on what information businesses can collect and what they can do with it. When the issue emerged as a major concern of ordinary Americans, politicians rushed to propose new legislation, only to be headed off at the pass in most instances by well-organized and well-financed lobbying efforts on behalf of the businesses that profit from the collection and analysis of that information. From that volatile mix of changing business practices, widespread public anxiety, and political grandstanding have come two major statutes creating new information privacy rights. In keeping with the sectoral approach to information privacy laws taken in the United States, both of those laws are quite limited in scope. The Children’s Online Privacy Protection Act (COPPA) (245) creates privacy rights for children’s information, but only if the information is collected over the Internet. (246) Similarly, the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act) (247) create a limited right for consumers with accounts at financial institutions to “opt-out” of having their information shared with third parties. (248) But even this limited right does not extend to information sharing with affiliates of the financial institution itself, or require financial institutions to provide access to the marketing information the financial institution itself has collected. The administrative procedures created to implement this right have resulted in the inundation of American consumers with confusing disclosure statements, the expenditure of major compliance expenses by all U.S. financial institutions, and the payment of large fees to bank lawyers helping their clients try to comply with the new law. It is not clear, however, that these investments will produce any substantial results in terms of individual privacy protections.

Congress passed COPPA in response to general outrage at the practices of operators of Web sites targeting children in the collection and use of personal information. The FTC implemented that statute with its Children’s Online Privacy Protection Rule (COPPA Rule). (249) Although COPPA and the COPPA Rule are both limited to children under age thirteen, this legislation is very significant for Internet commerce because it is the first U.S. privacy law that imposes substantial obligations on Web site operators.

Industry groups may create self-regulatory programs to govern their members’ compliance with the COPPA Rule. (250) Such a program will only be effective after the group has submitted the self-regulatory program to the FTC and obtained its approval. (251) The FTC will publish proposed self-regulatory programs for public notice and comment before approving them. (252) Once the FTC has approved a self-regulatory program, compliance with it will create a “safe harbor” from any FTC enforcement actions for violations of COPPA. (253) In order to qualify as a safe harbor, a program must require members to comply with the substantive requirements of the COPPA Rule (notice

It is unclear whether Web site operators targeting children will comply with COPPA. In March 2001, the Annenberg Public Policy Center published a report of its study of 162 such Web sites. (256) It found ten percent in blatant noncompliance with COPPA, and almost half failed to comply with important elements of the COPPA Rule. (257) The FTC has clearly indicated its intention to police compliance with COPPA, however. In July 2000, the FTC sent e-mails to scores of Web sites directed at children warning them that they were subject to the requirements of COPPA, and that they faced FTC enforcement actions if their sites were not revised to comply with the law. (258) In April 2001, the FTC settled three cases with Web site operators that had not complied with the requirements of COPPA. (259) The Girlslife.com Web site targeted girls aged nine to fourteen, and offered features such as on-line articles and advice columns, contests, and penpal opportunities. Partnering with BigMailbox.com and Looksmart Ltd., it also offered to children free e-marl accounts and on-line message boards. The FTC alleged that each of the defendants collected personal information from children, including such things as full name and home address, e-mail addresses, and telephone numbers. None of the Web sites posted privacy policies that complied with the Act or obtained the required consent from parents prior to the collection of their children’s personally identifiable information. The Web sites collected children’s personal information for their own internal uses, enabled children to publicly reveal their personal information on-line without first obtaining parental consent, and provided children’s personal information to third parties without prior parental consent. In addition to requiring the operators to comply with COPPA in the future and pay a total of $100,000 in civil penalties, the settlements also required the operators to delete all personally identifying information collected from children on-line at any time since the COPPA Rule’s effective date. (260)

What is remarkable about COPPA is the unqualified manner with which it mandates compliance with fair information practices. This is a remarkable testament to the ability of U.S. lawmakers to pass strong information privacy laws, and is in marked contrast with the obscure, limited reforms achieved in the GLB Act. The costs of complying with COPPA are substantial, however, and many Web sites targeting children have curtailed the range of services they offer, ceased collecting any personal information, or simply shut down after COPPA because they felt the costs of compliance were prohibitive. (261)

The GLB Act was signed into law in 1999. (262) In Congress, the Act developed out of broad efforts at the reform of the banking regulatory system to broaden the powers of banks, motivated by the sense that the existing system made little sense in the increasingly interconnected global financial markets. Among other things, banks sought to repeal the provisions of the Glass-Steagall Act(263) separating commercial banks from investment banks, to liberalize the rules governing the types of financial activities in which companies owning commercial banks may engage, and to allow bank subsidiaries to engage in a broad range of financial activities not permitted to banks. Banks had been working for over a decade to have Glass-Steagall repealed, and in 1999 it became apparent that the political obstacles to accomplishing this had finally been overcome. One of the political compromises struck in order to ensure passage of the financial services regulatory-reform provisions was the addition of provisions related to financial privacy. (264) Generally, these prohibit (subject to a variety of exceptions) the disclosure by a financial institution (or any of its affiliates) of any “nonpublic personal information” to a “nonaffiliated third party.” (265) Financial services conglomerates scored a major legislative victory by excluding the sharing of personally identifiable information among affiliates from the scope of the GLB Act.

EU DATA PROTECTION LAW AND THE U.S. SAFE HARBOR

In 1995, the EU adopted a Data Protection Directive that provides individuals with powerful protections from non-consensual uses of personal data. (266) The DP Directive was designed to harmonize the laws of the fifteen member states regarding the rights of individuals with regard to the privacy of personal information. (267) By 1998, each member state in the EU was to have enacted privacy laws conforming to the provisions of the Directive. (268) (Some member states missed the 1998 deadline, and by 2001, France, Ireland, and Luxembourg still had not yet enacted the required legislation, although legislative proposals were pending in all three.) (269) The Directive is based on the premise that privacy is a fundamental human right, and that any standardization of data protection laws in Europe must proceed on that basis. (270)

The Directive restricts the circumstances under which personal information can be transferred out of Europe. Such transfers may take place only if the target country ensures an “adequate” level of protection. (271) “The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations,” and questions about the adequacy of levels of protection may be raised either by member states or the European Commission. (272) In the absence of an adequate level of protection, the transfer of data to a third country may nevertheless be permitted if the individual has unambiguously consented to the transfer, or the organization receiving the personal information has in place adequate safeguards based on contractual obligations. (273) As a result of implementing the Directive, many EU member states now require the party outside the EU receiving the personal data to deposit with the national data protection agency a copy of inaccurate when the certificate war issued. (93) The ES Directive assigns to the certification-service-provider the burden of showing what the relevant standard of care is and that it met it. (94) No certification-service-provider is required to issue “qualified certificates,” however, so it remains to be seen how many businesses will think they can afford to do so profitably.

Electronic Money Directive

In 2000, the EU issued a directive regulating “electronic money institutions,” which member states are required to transpose into national legislation by April 2002. (95) The E-Money Directive is one of the first attempts by the EU to regulate the emerging market for emerging payment services. It was surrounded by some controversy during its drafting, as some member states were anxious to regulate this market more strictly, while other member states wanted to adopt a more laissez-faire approach. (96) The main principles of the E-Money Directive include protecting consumers by creating a framework of prudential supervision of new payment services

An important consumer protection is the right of bearers of e-money to redeem it at par value without charge for coins and bank notes or funds transfer. (99) Electronic money institutions are required to comply with applicable laws aimed at preventing losses of customers’ funds and to maintain sound administrative and accounting systems and internal control mechanisms. (100) The E-Money Directive also introduces a prudential supervisory system for electronic money institutions that is separate from that applicable to banks, in that it is more specific and less complex. This simplification of financial supervision, however, is offset by the fact that electronic money institutions are subject to tighter restrictions than credit institutions as regards the scope of their activities and investment.

Brussels Regulation

Until 2001, the Brussels Convention (101) applied to most civil and commercial matters, and will therefore apply to Internet commercial transactions. Article 3 of the Brussels Convention specifically prohibited exorbitant bases of jurisdiction from being exercised in national legal systems. (102) It applied, however, only to defendants located in other signatory states: if the defendant was not domiciled in a signatory state, exorbitant bases of jurisdiction could be used. The Brussels Convention provided that a consumer was entitled to bring proceedings against a vendor in the jurisdiction where the consumer resides

In 2001, the Brussels Convention was replaced with a regulation (Brussels I Regulation) (104) issued by the EU that established substantially the same common standards on jurisdiction and on the enforcement of judgments in civil and commercial matters. (105) Like the Convention, the regulation provides that if a consumer has formed a contract where she is domiciled with a business entity that “by any means, directs such activities” from another jurisdiction into that member state, then the consumer has the right to sue the business in her member state. (106) It is unclear whether merely maintaining a Web site that can be accessed by consumers in the EU will be sufficient to meet the standard for “by any means directing activities” into the EU.

DOMAIN NAME ISSUES

The Internet Corporation for Assigned Names and Numbers (ICANN) Uniform Domain Name Dispute Resolution Policy (UDRP) (107) took effect in 1999, and produced an avalanche of arbitration proceedings dealing with domain name disputes. (108) Whether this represents success in dealing with one of the biggest areas of legal concerns for on-line businesses probably depends on the eye of the beholder: studies of the results of UDRP proceedings show that trademark owners are winning most of the cases they bring. (109) Another source of controversy surrounding ICANN’s administration of generic top-level domains (gTLDs) has been the process of expanding the number of gTLDs.

Until 2000, gTLDs were largely limited to the well known .com, .net, and .org domains. For some time, there had been pressure from many interested parties to open up additional gTLDs in order to expand the number of domain names available, but such calls for new gTLDs were resisted strenuously by major trademark owners out of fear of increased opportunities for confusion regarding sponsorship of a site. In 2000, ICANN made the decision to expand the number of gTLDs by seven: .aero for the air transport industry

Some critics of the ICANN decision to limit the creation of new gTLDs have taken matters into their own hands and have begun making new domain extensions available, notwithstanding their lack of recognition by ICANN. Alternative domain name registrars such as Name. Space and New. Net have been operating for several years and have taken the miscalculation by ICANN’s board regarding demand for new gTLDs as an opportunity to expand their operations. In order to access the alternative domain name systems managed by these alternative domain name registrars, end users must download special software and reconfigure their browsers. Having done so, end users can access domain names with extensions such as: .arts, .school, .church, .love, .golf, .auction, .agent, .llp, .llc, .scifi, and .xxx. Name.space had been offering a .biz gTLD for several years before that extension was approved by ICANN last fall, so it is clear that ICANN does not consider that the operation of the alternative domain name systems can preempt its own operations.

Although ICANN has approved several dispute-resolution service providers, the World Intellectual Property Organization (WIPO) and the National Arbitration Forum (NAF) handle over ninety percent of disputes handled under the UDRP. (112) Initially the complaining party chooses a single arbitrator. (113) If the domain name registrant accepts that arbitrator, then the complaining party pays the fees of the arbitrator. (114) The domain name registrant can ask for a three-person arbitration panel, but then it must pay half of the fees for the three-person panel. (115) The typical fees are quite modest. For example, if one domain name is in dispute, the WIPO fee for a single arbitrator is $1,500

In the first year the UDRP was in effect, the procedures were invoked in over 2000 disputes. (117) The success of the UDRP doubtless is driven by the favorable results it offers trademark owners (who are, after all, the ones choosing the forum). For one thing, the UDRP substantially solves the problem of obtaining personal jurisdiction over the registrant, at least if the trademark owner is willing to accept a resolution limited to the domain name and forgo the possibility of money damages or broader injunctive relief. Also, trademark owners tend to be quite successful under the UDRP For example, a study by Professor Milton Mueller of Syracuse University found that the challenged domain name registrant failed to respond in thirty-four percent of those disputes

The body of decisions is forming new international common law for trademark and domain name issues similar to the common law that has developed in the area of international arbitrations. There is no evidence that this huge mass of decisions, which is accumulating at such astonishing speed, is forming a coherent body of law, however. One commentator noted that unfortunately, the decisions diverge widely on the most important UDRP issues. (120) For example:

* Does a person have a legitimate interest in a generic domain name if he intends to sell it to a broker?

* Is a person who registers and passively holds a domain name guilty of bad-faith “use”?

* Are holders of dictionary-word domain names on “constructive notice” of trademarks for purposes of determining bad faith? (121)

There have been relatively few cases of litigation following a UDRP proceeding, and ICANN makes no effort to collect information on those cases. Even if that information is made available, it is not clear that the UDRP panelists will look to opinions in cases decided by national courts as having precedential value in UDRP cases. Unless there is a system of appeals within the ICANN UDRP system, it is unclear how the current variations in the application of UDRP and UDRP rules can be reduced or eliminated.

INTERNET SERVICE PROVIDER LIABILITY

Internet service providers (ISPs) remain an easy target for anyone aggrieved by the behavior of one of their subscribers because, unlike many subscribers, ISPs are not normally difficult to locate or judgement proof. Although Congress has intervened on more than one occasion to provide ISPs with safe harbors from at least some bases of liability, (122) they remain at risk of being found liable for such shortcomings as contributory trademark infringement, or negligent failure to maintain adequate security for their facilities.

INTERNET ACCESS FOR THE DISABLED

Title III of the Americans with Disabilities Act of 1990 (ADA) (123) requires that public accommodations and “place of public accommodation” services operated by private entities assure equal opportunities for access to individuals with disabilities. (124) Given the open, public character of the Internet, there has been considerable debate over whether Web sites operated by private parties constitute “places of public accommodation” such that private Web site operators must comply with the requirements of the ADA in designing and operating their Web sites. (125) If the ADA applies, then the private provider of public accommodations must furnish appropriate auxiliary aids and services where necessary to ensure effective access to the handicapped, unless to do so would result in a fundamental alteration of the accommodations or result in an undue burden. (126)

By 2001, there had been no reported legal opinions applying the ADA to Web sites maintained by private parties. In 1996, Deval Patrick, an assistant attorney general in the Civil Rights Division of the U.S. Department of Justice, responded to an inquiry from a constituent of Senator Tom Harkin regarding the application of the ADA to Internet browser technology. (127) The letter advised that although the ADA might apply to Internet access generally, it was not clear that the ADA could be used to require Web site operators to assure the compatibility of their sites with the Lynx browser because a variety of other strategies were available to ensure the handicapped were able to access Internet content. (128) In 1999, the National Federation of the Blind (NFB) sued America Online (AOL) for failure to comply with ADA requirements. AOL entered into settlement negotiations with the NFB, and no reported opinion was issued in that case. In order for the disabled to establish that the ADA applies to Web sites, the interpretation of “place of public accommodation” will have to be clarified. Some courts have interpreted “place” quite literally

In 1998, section 508 of the Rehabilitation Act of 1973 was amended to require federal departments and agencies to provide electronic content in a manner that facilitates access by the handicapped. (131) The federal Architectural and Transportations Barriers Compliance Board (Access Board) was charged with developing standards that would identify appropriate technologies and set standards for accessibility. (132) In December 2000, the Access Board issued the Electronic and Information Technology Access Standards (EITAS). (133) The Access Board convened the Electronic and Information Technology Accessibility Advisory Committee (EITAAC) with its membership drawn from different stakeholder communities. EITAAC worked with industry groups such as the World Wide Web Consortium, an Internet standards developing body, to harmonize its standards with work already being done in the private sector to establish accessibility guidelines. Once the standards became effective on June 21,2001, individuals with disabilities were able to file complaints alleging that a federal agency had not complied with the standards, but only with reference to technology that was procured after the effective date. (134) In light of the absence of concrete legal standards in this area, the EITAS may become a de facto benchmark for evaluating the accessibility of Web sites maintained by private parties, even though the regulation by its express terms does not apply to private parties.

PORNOGRAPHY

The Child Online Protection Act (COPA) (135) made it a criminal offense to knowingly make any communication for commercial purposes by means of the World Wide Web that is available to any minor and includes material that is harmful to minors. (136) The statute established a standard for “harmful to minors” that included obscene material or material that, applying contemporary community standards, pandered to the prurient interest. (137) COPA was struck down as unconstitutional by a district court (138) and the U.S. Court of Appeals for the Third Circuit. (139) In 2001, the Supreme Court granted certiorari (140) but there seems to be little likelihood that the district court and the Third Circuit will be overruled.

Not to be deterred by this series of failures, Congress tried once again to restrict the distribution of pornography over the Internet in the name of protecting children in the final days of the Clinton Administration, by inserting the Childrens’ Internet Protection Act (CHIPA) (141) into an appropriations bill at the last minute. This legislation would withhold federal funds to libraries that fail to adopt adequate standards to curb access to pornography in libraries. (142) In early 2001, the American Library Association (ALA) and the American Civil Liberties Union (ACLU) challenged CHIPA on First Amendment grounds. In negotiations with the Justice Department, the ALA and ACLU were able to get the deadline for implementation of its requirement that libraries obtain and install filtering software postponed to 2002 pending a determination of the constitutionality of the statute. (143)

CONTRIBUTORY TRADEMARK INFRINGEMENT

In Gucci America, Inc. v. Hall & Associates, (144) the court refused to dismiss Gucci’s contributory trademark infringement complaint against an ISP that had been notified twice by Gucci that its customer was using the ISP’s facilities to infringe on Gucci trademarks. (145) The court held, as a matter of first impression, that the Communication Decency Act’s (CDA) Internet service provider safe harbor (146) did not extend to contributory trademark infringement, nor was the complaint barred by the First Amendment. (147) The court noted that the CDA explicitly requires the scope of the safe harbor provision contained in 47 U.S.C. section 230(c)(1) to be interpreted in a manner that does not “limit or expand any law pertaining to intellectual property.” (148) The court felt that the Internet service provider’s role in hosting the Hall’s site was similar to the role played by flea market vendors in Fonovisa Inc. v. Cherry Auction, Inc. (149) and Hard Rock Cafe Licensing Corp. v. Concession Services, Inc., (150) and therefore could withstand Mindspring’s motion to dismiss. The court noted that, as an ISP hosting a site, Mindspring’s relationship to the infringing conduct was different than the relationship between a domain name registrar and someone registering an infringing domain name, and so distinguished this case from Lockheed Martin v. Network Solutions (151) in which the domain name registrar was held not liable for contributory trademark infringement after registering infringing domain names. (152)

NEGLIGENCE IN MAINTAINING AN INTERNET SITE

In Computer Tool & Engineering, Inc. v. Northern States Power Co., (153) a company claimed damages against a local utility for negligence in permitting a power surge that had damaged the company’s computer equipment. The local utility defended by arguing the plaintiffs own negligence had contributed to the damage and the damages awarded to the plaintiff were reduced as a result, which was upheld on appeal. (154)

One case that might have been a test case for negligence liability for ISPs was plead as a contract dispute, and then settled out of court. In December 2000, FirstNET Online (FNO), a Scottish Internet service provider, filed suit against Nike, Inc. in an effort to collect 25,000 [pounds sterling] plus value added tax (the UK equivalent to sales tax) for services rendered in June 2000 after Internet traffic on Nike’s site was rerouted to FNO’s site. FNO expended considerable resources in responding to Nike’s request for assistance in dealing with a domain name reroute security problem, with the expectation that Nike would compensate FNO for its efforts. FNO eventually filed suit against Nike for breach of contract when Nike refused to pay its invoice for services rendered

The domain name rerouting was allegedly accomplished by S11, and was made possible by vulnerabilities in the computer security of Nike, Network Solutions, and FNO. S11 is an Australian organization that took its name from its efforts to shut down the World Economic Forum held on September 11, 2000 in Melbourne, Australia. (155) S11 engages in nonviolent direct action to promote the cause of global justice and environmentalism. S11 allegedly instructed Network Solutions Inc. to revise the information it had in its “Domain Name System” (DNS) database, deleting the correct Internet Protocol (IP) addresses of Nike’s Web servers and substituting the IP addresses of FNO. As a result of this unauthorized change in the Network Solutions DNS database, traffic intended for the Nike site was routed instead to the FNO site. The same perpetrator also instructed the FNO system first to accept Nike’s traffic and then to forward it on to S11’s system.

When FNO first became aware of a sudden increase in the volume of traffic coming into its system, it quickly determined that the influx was coming from Nike. Although FNO had some difficulty in tracking down the responsible party at Nike because Nike had not kept its entries in the DNS database updated to reflect staffing changes, FNO was eventually able to locate someone in a position of responsibility at Nike. Nike requested FNO to forward its rerouted traffic back to Nike, not to bounce it back to its originator or forward it on to S11, and FNO complied with this request until Nike was able to correct the DNS entries that were causing its traffic to be misrouted. The problem took Nike nearly two days to fix. During that period, traffic to FNO’s system increased nearly twenty-fold, causing the FNO system to crash repeatedly, which disrupted the service FNO was able to provide to its customers.

The problem arose in part because Network Solutions offers three different levels of security for identifying parties authorized to revise records to its DNS database. The lowest level of security is “MAIL-FROM” which will accept instructions from anyone who sends, or who appears to send, mail from the e-mail address Network Solutions’ records show as being the e-mail address for the administrative contact for that domain name. The problem with MAIL-FROM security is that the e-mail address is listed in the WHOIS database maintained by Network Solutions and is accessible to anyone. Because email addresses can be “spoofed” quite easily, the MAIL-FROM system of authenticating requests to make changes in DNS records is very insecure. Network Solutions also offers the “Crypt-Password” authentication system which requires the use of a password before a DNS record can be modified, as well as digitally signed messages using Pretty Good Privacy encryption software, which are much more secure than MAIL-FROM. It is unclear from press accounts of the problem which form of security Nike was using to control access to its DNS records, but it seems likely it was using MAIL-FROM.

CONTROL OVER WEB SITE ACCESS

In 2000, two important cases were decided regarding the rights of Web site operators to restrict access to their sites. In the first case, a district court granted eBay, the on-line marketplace, a preliminary injunction to stop Bidder’s Edge, an on-line aggregator service, from sending software robots over the Internet to access eBay’s computer systems. (156) In the second, a district court granted Register. com, a domain name registrar, a preliminary injunction to stop Verio, a prorider of Internet services, from using information taken from its WHOIS database of customer information. (157) In both cases, the visitors were using automated processes to collect large amounts of factual information off the sites that was then reused in the visitor’s commercial activity. The courts concluded in both cases that the private interest of commercial Web site operators in excluding unwanted visitors overrode any public interest in unfettered access to those sites.

EBAY, INC. V. BIDDER’S EDGE

eBay maintains a Web site that permits individual buyers and sellers to-find each other, and permits interested parties to bid against each other for goods that have been offered for sale on the site. While anyone can browse the eBay site, no one can submit bids for items without registering as a member of the “eBay community.” This involves clicking on an “I agree” graphic after being shown the terms of the eBay User Agreement. The eBay User Agreement prohibits access to the eBay site through the use of “any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission.” (158) Software robots, often called “spiders” or “bots,” can automatically review and copy the contents of a site and transmit copies of the site to another location. In addition, the eBay site employs “robot exclusion headers.” (159) A robot exclusion header is a message sent to computers that might launch bots to survey the contents of another site to inform the owners of those computers that the site in question does not permit unauthorized robotic activity. Programmers who wish to comply with the Robot Exclusion Standard design their robots to read a particular data file, “robots.txt,” and not to access sites attempting to exclude bots in this manner. For example, search engines make extensive use of bots to build indices of Internet content and then report the results of searches of those indices, not the actual sites, in order to speed up search times, and search engine operators normally program their bots to avoid sites trying to exclude bots. eBay also takes steps to block communications coming from IP addresses if it has reason to believe individuals using those IP addresses are not complying with the terms of eBay’s User Agreement.

Although, as a matter of corporate policy, eBay works hard to exclude bots from its site, it also has a corporate policy to license access to its site to Web auction aggregator services. These services provide their users with comparisons between auctions taking place on eBay and auctions for similar or identical goods taking place on other auction sites such as those sponsored by Amazon.com or Yahoo! As part of its standard terms for licensing access to its site to aggregators, eBay requires aggregators to perform real-time checks of availability and pricing on the eBay site and display the results of those real-time searches in creating a comparison among competing auction sites.

Bidder’s Edge was an aggregator service that first entered into a license agreement with eBay in 1998 covering only selected types of goods. In 1999, Bidder’s Edge entered into negotiations with eBay in order to expand its license to provide comparisons on a wider range of goods offered on the eBay site. These negotiations broke down, however, and Bidder’s Edge began sending bots onto the eBay site to copy the entire site. eBay demanded that Bidder’s Edge stop accessing its site with bots and making copies of all the information it found there for its later use, and took all steps possible to block Bidder’s Edge’s access. After these strategies failed, eBay sought an injunction to stop Bidder’s Edge from accessing its site with bots without a license, eBay alleged that Bidder’s Edge had accessed the eBay site approximately 100,000 times per day, which constituted around one percent of all traffic on the eBay site. eBay sought a preliminary injunction to prevent Bidder’s Edge from accessing its site and cited eight legal theories: (i) trespass to chattels, (ii) false advertising under the Lanham Act, (160) (iii) federal and state trademark dilution, (iv) violation of the Computer Fraud and Abuse Act, (161) (v) unfair competition, (vi) misappropriation, (vii) interference with prospective economic advantage, and (viii) unjust enrichment. On May 24, 2000, the district court granted the preliminary injunction based on the trespass to chattels theory, barring Bidder’s Edge from further accessing the eBay site pending disposition of the litigation. (162)

The idea of applying the doctrine of trespass to chattels to unauthorized access to networked communication systems had already been raised in Thrifty-Tel, Inc. v. Bezenek (163) and Compuserve, Inc. v. Cyber Promotions, Inc. (164) In both of these cases, the courts held that electronic access to telephone or computer networks was a sufficiently tangible interference with the property rights of the owner of a chattel, the network equipment, to give the owner a cause of action. (165) The further development of this idea in the eBay case was welcomed in some quarters and decried in others. Supporters argued that unless operators of Internet sites such as eBay had the right to exclude organizations such as Bidder’s Edge that evaded eBay’s attempts to block their unauthorized access to its servers, operators of Internet sites would not be able to justify the kind of large investment in equipment that eBay had made to operate its site. From this perspective, the application of trespass to chattels to unauthorized electronic access to network equipment was consistent with the historical development of that doctrine and the doctrine of trespass to real property. Opponents argued that granting eBay an injunction based on a trespass to chattels theory was tantamount to recognizing a new intellectual property right in factual information. Such a de facto intellectual property fight in data was too generous to eBay, however, because the doctrine of trespass to chattels lacks the explicit balancing of public interest in expanding access to ideas and information against the private interest in limiting access to ideas and information characteristic of intellectual property rights. Furthermore, critics of the holding in Bidder’s Edge argued that the doctrine of trespass to chattels, which requires more than a formal showing of interference with the owner’s control over a chattel, requiring instead a showing of actual harm which eBay had not done, was misapplied in this case.

In February 2001, the U.S. Court of Appeals for the Ninth Circuit heard oral arguments in this case, but that same month, Bidder’s Edge shut down its Web site. It announced it was trying to reposition itself in the electronic commerce marketplace by looking for opportunities to license its search and aggregation technologies. (166) In March 2001, Bidder’s Edge paid eBay an undisclosed sum to settle the litigation, which removed the case from consideration by the Ninth Circuit.

REGISTER. COM V. VERIO (167)

In December 2000, in Register.com, Inc. v. Verio, Inc., the court granted an injunction to Register.com, a domain name registrar, to prevent Verio from using bots to download copies of Register.com’s WHOIS database information about its customers and from using that information in misleading direct marketing campaigns targeted at Register.com’s customers. (168) Register.com was one of the domain name registrars accredited by ICANN after Network Solutions lost its monopoly over the registered.com, .net and .org gTLDs. Verio was a major provider of Internet services including Web hosting services. Verio was able to extract contact information from Register.com’s WHOIS database for individuals that had recently registered domain names and offered them Web hosting services in a manner that suggested Verio was associated with Register.com or authorized to contact these individuals on behalf of Register. com. These solicitations of Register.com customers by Verio often caused considerable confusion and even ill-will towards Register.com among those customers.

The court granted Register.com a preliminary injunction based on its showing of a likelihood of success on the merits on four separate grounds: breach of contract, (169) trademark infringement, (170) trespass to chattels, (171) and violation of the Computer Fraud and Abuse Act (CFAA). (172) The court in Register.com did not address the issue raised in the amicus curiae brief of law professors opposed to the ruling in eBay

The breach of contract claim was based on the fact that Register.com had conditioned access to its WHOIS database on an agreement by the searcher not to use the information for mass marketing purposes, and not to access the WHOIS database using automated processes such as bots, but Verio had done both of these. The trademark infringement was based on Verio’s use of a service mark that was confusingly similar to Register.com’s when it solicited Register.com’s customers by telephone. The trespass to chattels claim was based on the fact that Verio’s access exceeded the scope of the license Register.com had granted to it, and Register.com’s showing that Verio had interfered with its operation of its computer systems, resulting in a reduction of Register.com’s computer system the contract governing the transfer so that the data protection agency is aware of the fact of the transfer and of the terms under which it is taking place.

Even before the Directive was finalized in 1995, representatives of the United States and EU were discussing what the United States response to the Directive would be. The bargaining position of the United States was that self-regulation by private parties should be an adequate substitute for comprehensive information privacy legislation in the United States and the creation of a new U.S. “Federal Privacy Agency.” The EU initially thought the United States should enact strong, comprehensive national privacy legislation, a proposal which has support among privacy advocates in the United States. As the 1998 deadline for implementation of the Directive by member states approached without any realistic possibility of such legislation getting through Congress, however, EU negotiators were forced to consider self-regulation. EU representatives have been profoundly skeptical of the effectiveness of self-regulatory schemes, however. On the other hand, U.S. companies are profoundly unhappy at the thought of being subject to possible enforcement actions taken by the fifteen different data protection officials in each of the EU member states. Many of these data protection officials genuinely believe that privacy is a fundamental human right, in part because many Europeans still remember all too well the tragic consequences of Nazi disregard for privacy rights. Many European data protection authorities also believe that modern American style marketing practices are simply unnecessary and unwanted in European markets. (274)

The U.S. Department of Commerce negotiated an agreement with the Commission of the European Union “[i]n order to bridge [the] different privacy approaches, and provide a streamlined means for U.S. organizations to comply with the Directive.” (275) This agreement created the “safe harbor” framework, which was approved by both sides in 2000. (276) In order to qualify for protection within the safe harbor, a U.S. company will have to self-certify that its procedures for handling the personal information of individuals in Europe conforms with the fair information practices outlined in the safe harbor agreement, which in turn are based on the provisions of the Directive. (277) Once a company has certified that it complies with the information privacy principles in the safe harbor agreement, if it later is discovered that the company has failed to live up to its commitments regarding the handling of information about EU individuals, only U.S. state and federal trade practice regulators can take enforcement action against that company. (278) In return for permitting U.S. companies to avoid the enforcement jurisdiction of data protection officials in the EU member state countries, EU negotiators required a much stronger enforcement mechanism and closer adherence to fair information practices than is required by any of the private privacy seal programs discussed above. Once they had been finalized, the EU finally issued a decision declaring that U.S.-based companies adhering to the safe harbor privacy principles could transfer data from the EU to the United States without the threat of civil or criminal liability. (279) (The EU reserved the right to reverse this decision if at some point in the future it comes to the conclusion that the safe harbor is not working as intended.) (280)

In the first year of its operation, the safe harbor has proved to be something of a disappointment for its architects, however. By July 2001, only seventy-eight U.S. companies, out of a potential population of thousands, had self-certified. (281) This means that EU citizens may have no information about the information practices of any U.S. company they might wish to deal with if that company has not posted a privacy policy, and even if it has posted one, may have trouble discerning how close those privacy practices come to the EU standard of strict adherence to fair information practices. The thousands of U.S. companies that might have self-certified seem to be either less concerned by the risk of enforcement action than they led the Department of Commerce to believe during safe harbor negotiations, or hope to be able to slip under the radar of underfunded, overworked data protection agencies within the fifteen member states.

Article 26(2) of the DP Directive provides that a member state may authorize transfers of personal information out of the EU to a country that does not ensure an adequate level of protection of information privacy if the data controller inside the EU wishing to transfer the data can demonstrate to the satisfaction of the data protection authority in the member state that the data will in fact be protected.282 One safeguard the controller seeking to make the transfer may demonstrate is “appropriate contractual clauses.” (283) In 2001, the EU Commission issued a decision setting out standard contractual clauses that parties to international data transfers could incorporate in their agreements in order to establish that there would be adequate safeguards to protect the personal information after it left the EU. (284) The decision requires member states to recognize that companies or organizations using such standard clauses are offering “adequate protection” to the data. (285) Parties to international data transfers are not required to use the standard clauses, however. The Commission issued them to simplify negotiations between data controllers wishing to transfer data outside the EU, the prospective transferees of the data, and the data protection authorities within the member states who are required to review the proposed transfers and approve them before they can take place. (286) Thus, if someone inside the EU wants to transfer data to someone in the United States who has chosen not to participate in the safe harbor, it may still be possible to make the transfer, provided the transferor gets the permission of its national data protection authority based on having appropriate restrictions on the United States’ use of the data in the contract governing the transfer

Data exporters and importers are required to assume joint and several liability. Data subjects who suffer damage as a result of a breach of the contract provision guaranteeing the information privacy rights of the data subjects concerned, are entitled to obtain compensation from either the Data Exporter or the Data Importer or both. (287) This is designed to reduce the practical difficulties faced by EU citizens seeking to enforce their third-party beneficiary rights under the data transfer contract.

SELF REGULATION AND PRIVACY ENHANCING TECHNOLOGIES

In September 2000, the Privacy Commissioners of Ontario, Canada and Australia published the results of their joint review of the three main privacy seal programs. (288) This study examined each seal program in terms of the rigor of their policies, their systems for policing compliance with their policies by members of their seal programs, and the efficacy and fairness of their ADR procedures. (289) The benchmark used by the Commissioners in their study was the statement of fair information practices contained in the 1980 OECD Guidelines. (290) Regarding privacy standards, out of eight possible marks, the scores awarded were: BBBOnLine 6.25

If the architecture of Internet commerce could be modified to give individuals more control over how their personal information is collected and used, then reform of U.S. privacy law would not be such an essential element to any program aimed at providing Americans with more information privacy rights. The concept of “privacy enhancing technologies” (PET) is now attracting quite a bit of attention as one possible mechanism for increasing compliance with fair information practices in electronic commerce. (296) A leading example of a PET that might change the way Internet commerce is conducted is a technical standard called the Platform for Privacy Preferences Project (P3P), which is being developed by the World Wide Web Consortium (W3C), one of the leading Internet standard setting organizations. (297)

If Internet commerce sites and consumer browsers are all configured to support P3P, then consumers will be able to set their browsers to remember their privacy preferences. When a consumer visits a Web site, the browser will access the site’s P3P-encoded privacy policy and compare it with the user’s preferences. If the site does not meet the consumer’s standards for information privacy, the browser would block the transmission of the consumer’s personal information to the site, but the consumer may find access to parts of the Web site blocked as a result. While some privacy advocates support P3P because it appears to give consumers more control over who can collect personal information from them, (298) others are critical for several reasons. One is that companies that distribute browser software will be able to establish the default settings in the browser software that a consumer will have to modify to personalize the privacy preference settings. Many consumer advocates and government regulators outside the United States are skeptical of how an organization such as Microsoft will exercise its power to set the default responsibility. Microsoft has indicated that it will set its browser software to reject cookies unless a Web site has encoded its privacy policy to support P3P and it also permits a consumer the choice to “opt-out” of having personal information collected. (299) Privacy advocates counter that this is still too administratively complex and burdensome an approach to information privacy, and would argue that “opt-in” should be the default setting.

Although the P3P standard aspires to be a global standard, it may prove to be too U.S.-centric to be very appealing to consumers and organizations outside the United States. While the P3P codes were being developed, representatives of the EU pointed out that codes were being set that would facilitate transfers of data that were unlawful under EU law. (300) While the specific objections of EU representatives to the standards setting process were addressed before the P3P standard was finalized, the center of gravity of the development process was U.S. Internet commerce, not Internet commerce as it is conducted outside the United States. As a result, unless a consumer is technologically sophisticated, the consumer’s browser may actually end up releasing more personally identifiable information about the consumer to commercial Internet sites than would be the case today Such an outcome is consistent with the U.S. business community’s perception that U.S. consumers want responsible businesses to have their personal information so that consumers can receive targeted marketing, but it is inconsistent with the perception of privacy advocates and EU regulators, which is that transfers of personal information are always problematic, should not be facilitated without the express, knowing authorization of the consumer, and should always be limited in scope to the minimum amount of information necessary to address the task at hand.

As with the Internet generally, there is no central organization overseeing the implementation of the P3P standard. Each company maintaining a commercial Web site that collects personal information will have to make its own decisions about how the company’s privacy policy is encoded with P3P codes. The company will be expected to encode its privacy policy to indicate what types of data are collected, what uses are made of it, who can access it, and how long it is saved. (301) There is no system for auditing a company’s actual information practices to determine how accurately the P3P codes reflect those practices, or even the written version of the privacy policy.

WEB SITE PRIVACY POLICIES

Trying to revise a privacy policy may create even worse problems than having an out of date policy, however. A company could include a provision in its privacy policy stating that it reserved the right to revise the policy at any time without any notice to its customers. In principle, that would mean that any individual whose personal information was collected while that privacy policy was in effect could not object to the company later modifying its privacy policy to reduce its compliance with fair information practices. However, including such a term may make the entire privacy policy “illusory.” In the realm of contract law, if one party offers an illusory promise in exchange for the other party’s substantial one, courts have responded by either finding that no contract exists, or have interpreted the terms of the illusory promise so that it acquires some substance and is binding on the party that offered it. (302) The application of contract law precedent to the practice of including such weasel words in a privacy policy is therefore difficult to predict, but clearly it might result in the term in effect being read out of the contract. Even if a court would permit the term to stand, it has become clear that public opinion does not support companies that try to rely on the presence of such weasel words in their privacy policies to justify later modifications in the policy that are detrimental to the interests of individuals whose personal information has already been collected.

Amazon.com triggered a firestorm of criticism when it sent notices to all its customers on September 5, 2000 that on August 31, 2000 it had modified its privacy policy. This modification included the addition of the following clause:

As we continue to develop our business, we might sell or buy stores or

assets. In such transactions, customer information generally is one of the

transferred business assets. Also, in the unlikely event that Amazon.com,

Inc., or substantially all of its assets are acquired, customer information

will of course be one of the transferred assets. (303)

In correspondence with the FTC requesting that it open an investigation into unfair and deceptive trade practices by Amazon.com in connection with its privacy policy revision, this clause was labeled the “Wholesale Exception Clause” by Jason Catlett of Junkbusters and Marc Rotenberg of the Electronic Privacy Information Center, two leading privacy advocates. (304) Catlett and Rotenberg argued that this statement, added by Amazon.com in response to the controversy surrounding the toysmart.com bankruptcy discussed below, was deceptive in light of other provisions in the Amazon.com privacy policy stating that certain types of personal information would “never” be shared with third parties. (305) The FTC opened an investigation, but eventually determined that in light of Amazon.com’s actual information practices, it seemed unlikely that Amazon.com had actually engaged in unfair and deceptive trade practices with regard to its privacy policy revision. (306) In the meantime, privacy advocates have attempted to keep the issue as visible as possible and have succeeded in tarnishing Amazon.com’s once sterling reputation as a leader among U.S. Internet businesses for following fair information practices.

Many companies will nevertheless find that they have trouble living within the constraints of an existing privacy policy and need to find some mechanism to modify their privacy policy. One option that is certain to meet with less hostility from privacy and consumer advocates would be to follow the procedures established in COPPA and GLB whenever a privacy policy is modified. Both of those statutes require a company to notify all customers whose personal information it has collected of the change in policy before it takes effect and give those customers an opportunity to opt out of having their personal information handled under the terms of the new privacy policy. (307) The records management burdens of such an approach are significant: the company would need to establish procedures for segregating data according to the privacy policy that was in effect when it was created or the most recent privacy policy that the person identified in the record consented to and insuring that personal information was only handled according to the terms of the relevant privacy policy Under such a system, a company would have to be able to administer several privacy policies simultaneously, or would have to purge its databases of personal information of those individuals who were unwilling to consent to changes in its privacy policy.

CLASS ACTION LITIGATION

In 2000, a flurry of class action law suits were filed, and it appeared to many observers that on-line privacy might be the “next big thing” for the plaintiffs’ lawyers who had learned about information technology anticipating a boom in Year 2000 litigation that never appeared. By 2001, it was still unclear whether these lawsuits would produce any new law regarding the privacy of users in light of innovative new technologies designed to profile users for marketing purposes.

RealNetworks dominates the market for audio and video delivery over the Internet, including the use of streaming media, with an estimated 115 million users of its primary software products, RealJukebox and RealPlayer. (308) Within days of the publication of a story in November 1999 in the New York Times detailing its surreptitious data collection practices, (309) RealNetworks had been named in more than a dozen federal and three state class actions which are being consolidated for multidistrict litigation in the U.S. District Court for the Northern District of Illinois. (310) Plaintiffs in these cases allege that the company’s RealJukebox software, which plays music on a computer, snooped on them once they installed it on their computers, and it reported back to the company over the Internet. Even though the company disputed the charges and asserted that it never did anything improper, it altered its published privacy policy shortly after the litigation commenced, and began making available software fixes that users could download and install to block the tracking technology. The class actions against RealNetworks asserted a variety of legal theories, including allegations of unauthorized access to computer data in violation of the CFAA, (311) and unlawful interception of electronic communications in violation of the Electronic Communications Privacy Act (ECPA). (312) The actions also assert common law claims based on breach of contract, fraud, promissory estoppel, invasion of privacy, and negligence. RealNetworks was successful, however, in staying the litigation and compelling the plaintiffs to submit the dispute to arbitration based on the arbitration provision contained in its clickwrap software agreement. (313)

DoubleClick, Inc. is the leading Internet advertising provider, delivering 1.5 billion banner ads a day on behalf of 1,800 customers to 750 Web site publishers. (314) Beginning in late 1999, DoubleClick came under attack in a variety of arenas for alleged violations of privacy rights. DoubleClick uses “cookies” to identify the computers of individual users and to monitor the individual user’s movements around the Internet in order to better target banner advertisements. DoubleClick perfected a system for using cookies to collect information from the same individual’s activities on many different sites. Several class action lawsuits were filed claiming DoubleClick’s conduct amounted to unfair and deceptive trade practices, common law invasion of privacy, unjust enrichment, trespass to chattels, as well as Wire Fraud Act, ECPA, and CFAA violations. The district court granted summary judgment for DoubleClick on the CFAA and ECPA claims and declined to exercise supplemental jurisdiction over the remaining state law claims. (315)

In addition, in 1999, DoubleClick announced its intention to acquire Abacus Direct, a direct marketing firm, with the intention of merging DoubleClick’s Internet clickstream data with Abacus’ personally identifiable data. (316) When this proposed merger of the two sets of data became public, there was a firestorm of criticism. The Electronic Privacy Information Center filed a complaint with the FTC regarding the proposed merger, alleging that DoubleClick’s proposed merger of the databases was an “unfair and deceptive trade practice” in violation of section 5 of the FTC Act. (317) The FTC and the Michigan and New York Attorney Generals’ offices each opened investigations of DoubleClick based on its proposed use of Abacus data. Three months after the merger of the companies and the proposed merger of the databases became public, DoubleClick yielded to overwhelming public criticism of its plan and announced its intention not to merge the two databases. (318) It hired Christine Varney, a former FTC commissioner, to represent it in the FTC investigation, and in 2001 the FTC announced it had closed the investigation. (319) The FTC noted that DoubleClick had undertaken to: add an explanation of Web bugs and how DoubleClick uses them to its privacy policy

In 2000, AOL was sued in connection with its Netscape Communicator SmartDownload software, which AOL acquired in 1998 when it took over Netscape. This program is installed by people downloading the Netscape browser program. Once it has been installed, the software is automatically activated whenever a user downloads files from the Web. The plaintiffs claimed that SmartDownload captures and transmits back to Netscape personally identifiable information without an individual’s knowledge or consent. AOL contended that the feature had been added to the software for technical support reasons, and the information collected had never been used or accessed by AOL for any other reason. The lawsuit sought damages for attempted monopolization in violation of antitrust law, breach of state consumer protection laws, unfair and deceptive trade practices, product liability for defective design and failure to warn, negligence, and negligent misrepresentation as well as violations of the CFAA. In 2001, a federal judge dismissed several of these claims while refusing to dismiss the CFAA claim that AOL had “exceeded authorized access” to the class members’ personal computers. (321)

In 2000, a class action lawsuit was filed against Intuit claiming damages for common law unjust enrichment as well as Wire Fraud Act, CFAA, and ECPA violations based on the fact that Quicken.com placed cookies on users’ hard drives. The court dismissed without prejudice the Wire Fraud and CFAA claims but refused to dismiss a ECPA claim based on Intuit’s intentional access of stored electronic data. (322) The court also refused to dismiss the supplemental state claims. (323)

In 2000, Amazon.com struggled to deal with several on-line privacy public relations disasters. One was the revision of its privacy policy that reduced the protection granted to customers without providing them an opportunity to opt out of the new policy. (324) Another involved a new application Amazon.com developed known as zBubbles. This was a software program that allowed visitors to conduct price comparisons for a product without leaving whatever Web site was currently being visited, as well as permitted individuals using the software to buy the product directly from Amazon with one click at any time, even if the individual was still visiting another Web site. zBubbles was sending personally identifiable information in violation of zBubbles Privacy Policy which stated: “In connection with your use of the Service, we collect web site usage data and traffic pattern data with respect to your activity both within and across web sites–all of which remains anonymous.” (325) The FTC opened an investigation into complaints about zBubbles as well as complaints about Amazon.com’s subsidiary Alexa Internet. (326) Alexa Internet stated in its privacy policy that it did not collect personally identifiable information, but it did collect the URLs of sites individuals visited, and some Web site operators put personal information into URLs to help visitors navigate, so the URLs could contain personal information. (327) In 2001, Alexa paid $40 per customer, or a total of $1.9 million, to settle the class action lawsuit. (328) FTC investigations of zBubbles and Alexa’s privacy policy were closed in May 2001. (329) The FTC found that it was likely that Amazon.com and Alexa engaged in unfair and deceptive trade practices, but declined to take any enforcement action against them because Amazon.com had since discontinued the zBubbles application and Alexa had modified its privacy policy so that it was no longer inaccurate. (330)

(1.) Electronic Signatures in Global and National Commerce Act (E-SIGN), Pub. L. No. 106-229, 114 Stat. 464 (2000) (codified at 15 U.S.C. [subsection] 7001-7031).

(2.) UNIF. ELECTRONIC TRANSACTIONS ACT (UETA) (1999), available at http://www.law.upenn.edu/ bll/ulc/ulc.htm.

(3.) For a listing of the states that have enacted or introduced the UETA, see THE NAT’L CONFERENCE OF COMM’RS ON UNIF. STATE LAWS (NCCUSL), LEGISLATIVE FACT SHEET (2001), at http:// www.nccusl.org/nccusl/uniformact_factsheets/uniformacts-fs-ueta.asp.

(4.) See generally JANE K. WINN & BENJAMIN WRIGHT, THE LAW OF ELECTRONIC COMMERCE ch. 5 (4th ed. 2001)

(5.) E-SIGN [section] 101(a)

(6.) E-SIGN [section] 101(b)(2)

(7.) E-SIGN [section] 101(c)(1)(A). This is not the same standard as “manifest assent” which appears in the RESTATEMENT (SECOND) OF CONTRACTS [section] 19 (1981). At a minimum, “affirmatively assent” would clearly seem to preclude the use of a “negative option” or other “opt out” procedure for establishing consumer consent.

(8.) E-SIGN [section] 101(c)(1)(B)(i)(I).

(9.) Id. [section] 101(c)(1)(B)(ii).

(10.) Id. [section] 101(c)(1)(B)(i)(II).

(11.) Id. [section] 101(c)(1)(B)(iii).

(12.) Id. [section] 101 (c)(1)(B)(iv).

(13.) Id. [section] 101 (c)(1)(C)(i).

(14.) Id. [section] 101(c)(1)(C)(ii) (requiring that the consumer must consent electronically, or confirm his or her consent electronically, “in a manner that reasonably demonstrates” that the consumer can access the information) (emphasis added).

(15.) Id. [section] 101(c)(1)(D).

(16.) Id. [section] 101(c)(1)(D)(i). The business is not under obligation to maintain the customer relationship, however, if the consumer withdraws his or her comment.

(17.) FED. TRADE COMM’N, ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT: THE CONSUMER CONSENT PROVISION IN SECTION 101(c)(1)(C)(ii) (June 2001), available at http:// www.ftc.gov/os/2001/06/esign7.htm.

(18.) E-SIGN [section] 101(b)(2).

(19.) Id. [section] 104(b)(2)(C)(ii).

(20.) Id. [section] 104(b)(2)(C)(iii).

(21.) Memorandum from Jacob J. Lew, Director, Office of Management and Budget, to the heads of departments and agencies (Sept. 25, 2000) (OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act), available at http://cybercrime.gov/esign.htm [hereinafter OMB Guidance].

(22.) Id.

(23.) E-SIGN [section] 104(b)(3)(A).

(24.) Id.

(25.) Id.

(26.) Id. [section] 104(b)(4).

(27.) Id. [section] 104(b)(3)(B).

(28.) Id.

(29.) Federal Acquisition Regulations

(30.) National Credit Union Association, Records Preservation Program, 66 Fed. Reg. 11,239 (Feb. 23, 2001).

(31.) 66 Fed. Reg. 12,746 (Feb. 28, 2001)

(32.) E-SIGN [section] 102(a).

(33.) Id. [section] 104(b)(3)(A).

(34.) OMB Guidance, supra note 21, Appendix A.

(35.) H.R. CONF. REP. No. 00-106, at H4357 (2000).

(36.) Id.

(37.) 2001 N.Y. Informal Op. Att’y Gen. 3 (2001), available at 2001 WL 1095069 (N.Y.A.G.).

(38.) Memorandum from Goodwin, Procter & Hoar, LLP, to American Land Title Association, Consumer Mortgage Coalition, and Electronic Financial Services Council (Sept. 14, 2000) (on file with The Business Lawyer, University of Maryland School of Law)

(39.) The actions taken by the ALI with respect to the draft of Article 2 in May 2001 are available at http://www.ali.org/ali/ali2000_ActionsSummary.htm.

(40.) The 2001 NCCUSL Annual Meeting drafts are available from the NCCUSL Web site, at http:// www.nccusl.org, or from the University of Pennsylvania Web site which houses draft and final uniform laws, at http://www.law.upenn.edu/bll/ulc/ulc_frame.htm. The Prefatory Note to the 2001 Annual Meeting draft outlines the proposed changes.

(41.) Id.

(42.) Id.

(43.) Id.

(44.) Id.

(45.) See WINN & WRIGHT, supra note 4, [section] 5.06.

(46.) See AM. LAW INST., ARTICLE 2 UPDATE, A.L.I. RSTR. (Summer 2000), available at http:// www.ali.org/ali/R2204_Update.htm.

(47.) See WINN & WRIGHT, supra note 4, [section] 5.06.

(48.) Mark Budnitz, Stored Value Cards and the Consumer: The Need for Regulation, 46 AM. U. L. REV. 1027, 1072 (1997).

(49.) UNIF. MONEY SERVS. ACT (2000), available at http://www.law.upenn.edu/bll/ulc/moneyserv/ UMSA2001 Final. htm.

(50.) An Act Relating to the Provision of Money Services and Funded Settlements at Real Estate Closings, 2001 Vt. Acts & Resolves 2000 (to be codified at VT. STAT. ANN. tit. 8, ch. 79).

(51.) See UNIF. LAW COMM’RS ON UNIV. STATE LAWS, NCCUSL, SUMMARY

(52.) Id.

(53.) Id.

(54.) UNIF. MONEY SERVS. ACT, prefatory note.

(55.) Id. [section] 202.

(56.) Id. [subsection] 202(d), 203, 205(a), 206.

(57.) Id. [subsection] 203(d), 205(b).

(58.) Id. [section] 601(a).

(59.) Id. [section] 601(b).

(60.) Id. [section] 601 (c).

(61.) Id. [section] 603.

(62.) Id. [section] 701(a).

(63.) Id. [subsection] 702, 701(c).

(64.) Id. [subsection] 802-805.

(65.) Id. [section] 806.

(66.) Lee S. Adams et. al., Developments in Stored-Value Cards and Cyberbanking, 55 Bus. LAw. 1363 (2000).

(67.) Financial Crimes Enforcement Network, 64 Fed. Reg. 45,438 (Aug. 20, 1999) (to be codified at 131 C.F.R. pt. 103)

(68.) Financial Crimes Enforcement Network, 64 Fed. Reg. at 45,438.

(69.) Id. at 45,443.

(70.) Id. at 45,442.

(71.) UNITED NATIONS COMM’N ON INT’L TRADE LAW (UNCITRAL), MODEL LAW ON ELECTRONIC SIGNATURES (2001), available at http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf[hereinafter E-Signatures Model Law].

(72.) See STEPTOE & JOHNSON LLP, COMMENTARY ON THE UNCITRAL MODEL LAW ON ELECTRONIC SIGNATURES (May 2001), available at http://www.steptoe.com/webdoc.nsf/Files/UNCITRAL/$file/ UNCITRAL.doc

(73.) See id.

(74.) UNCITRAL, WORKING GROUP ON ELECTRONIC COMMERCE, 2001 PROVISIONAL AGENDA, U.N. Doc. A/CN.9/WG.IV/WP.87 (2000).

(75.) A European Initiative in Electronic Commerce, COM(97) 157 final, available at http:// europa.eu.int/ISPO/ecommerce/legal/documents/com97-157/ecomcom.pdf.

(76.) Directive 1999/93/EC of 13 December 1999 on a Community framework for electronic signatures, 1999 O.J. (L 13) 12 [hereinafter ES Directive].

(77.) Directive 2000/46/EC of the European Parliament and of the Council of 18 September 2000 on the taking up, pursuit of and prudential supervision of the business of electronic money institutions, 2000 O.J. (L 273) 39, available at http://europa.eu.int/eur-lex/en/lif/dat/2000/en_300L0046.html [hereinafter E-Money Directive].

(78.) See UTAH CODE ANN. [subsection] 46-3-201 to -504 (1998).

(79.) See Andrew Barofsky, The European Commission’s Directive on Electronic Signatures: Technological “Favoritism” Towards Digital Signatures, 24 B.C. INT’L & COMP. L. REV. 145, 153 (2000).

(80.) ES Directive, supra note 76, at art. 1.

(81.) Id.

(82.) Id. at para. 16.

(83.) Id. at art. 3.

(84.) See id. at para. 11.

(85.) Id. at art. 5.

(86.) Id.

(87.) Id. at annexes I-IV.

(88.) Id. at art. 3.

(89.) Id. at para. 4.

(90.) Id. at annex II.

(91.) Id. at art. 6.

(92.) Id. at Annex I.

(93.) See UTAH CODE ANN. [section] 46-3-309 (1998).

(94.) ES Directive, supra note 76, at art. 6.

(95.) E-Money Directive, supra note 77, art. 10, para. 1.

(96.) Rolf H. Weber, EC E-Money Directive–Background, Problems and Prospects, Y.B. INT’L FIN. & ECON. L. (forthcoming 2001) (on file with The Business Lawyer, University of Maryland School of Law).

(97.) Id. at 10-11.

(98.) E-MONEY DIRECTIVE, supra note 77, art. 1, para. 3(b).

(99.) Id. at art. 3.

(100.) Id. at arts. 2, 7.

(101.) Convention on Jurisdiction and Enforcement of Judgments in Civil and Commercial Matters, September 27, 1968, 1972 O.J. (L 299) 32, reprinted in 8 I.L.M. 229 (1969), as amended 1990 O.J. (C 189) 1, reprinted as amended in 29 I.L.M. 1413 (1990) [hereinafter Brussels Convention]. The parties to the Brussels Convention were the six countries that at the time made up the EEC–Belgium, Germany, France, Italy, Luxembourg, and the Netherlands–as well as England and Denmark. The Lugano Convention extended the basic obligations of the Brussels Convention to relations among the remaining Members of the European Union as well as those in the European Free Trade Association, which includes Austria, Iceland, Norway, and Switzerland. Convention on Jurisdiction and Enforcement of Judgments in Civil and Commercial Matters, September 16, 1988, 1988 O.J. (L 319) 9, reprinted in 28 I.L.M. 620 (1989).

(102.) Convention on Jurisdiction and Enforcement of Judgments in Civil and Commercial Matters, 1988 O.J. (L 319) 10. Brussels Convention, supra note 101, art. 3.

(103.) Id. at art. 13.

(104.) Council Regulation (EC) No. 44/2001 of 22 Dec. 2000 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters, 2001 O.J. (L 12) 1. Denmark did not participate in the adoption of the regulation and is not bound by it, but remains subject to the terms of the Brussels Convention. The “Brussels II Regulation” governs jurisdiction and enforcement of judgments concerning family law matters.

(105.) Id.

(106.) Brussels Convention, supra note 101, at art. 15.

(107.) ICANN, UNIF. DOMAIN NAME DISPUTE RESOLUTION POLICY (1999), available at http:// www.icann.org/udrp/udrp-policy-24oct99.htm [hereinafter UDRP].

(108.) See generally WINN & WRIGHT, supra note 4, ch. 11.

(109.) A statistical summary of proceedings under the UDRP is available at http://www.icann.org/ udrp/proceedings-stat.htm.

(110.) See Press Release, ICANN, ICANN Announces Selections for New Top-Level Domains (Nov. 16, 2000), available at http://www.icann.org/announcements/icann-pr16nov00.htm.

(111.) See Joanna Glasner, Do We Really Need New Domains?, WIRED NEWS (Nov. 17, 2000), at http:// www.wired.com/news/business/0,1367,40242,00.html

(112.) MILTON MUELLER, ROUGH JUSTICE: AN ANALYSIS OF ICANN’s UNIFORM DISPUTE RESOLUTION POLICY, ch. 4 (Nov. 2000), available at http://dcc.syr.edu/report.htm.

(113.) UDRP, supra note 107, [section] 4.d.

(114.) Id. [section] 4.g.

(115.) Id.

(116.) ICANN, SCHEDULE OF FEES UNDER THE ICANN POLICY (Aug. 15, 2000), at http://arbiter. wipo.int/domains/fees/index.html

(117.) MUELLER, supra note 112, at ch. 2.

(118.) Id. at ch. 3.

(119.) Id.

(120.) Neil J. Cohen, Forum: ICANN at the Crossroads, 1 INTERNET LAW & BUS. 583 (2000).

(121.) Id.

(122.) See, e.g., 47 U.S.C. [section] 230(e)(2) (Supp. V 1999).

(123.) 42 U.S.C. [subsection] 12181-12189 (1994).

(124.) Id. [section] 12182(a).

(125.) See generally Jonathan Bick, The Americans with Disabilities Act and the Internet, 10 ALB. L.J. SCI. & TECH. 205 (2000)

(126.) 28 C.F.R. [subsection] 36.303, 35.160 (2001).

(127.) Communication #204 from Deval L. Patrick, Assistant Attorney General, Civil Rights Division, U.S. Department of Justice, to Senator Tom Harkin (Sept. 9, 1996), available at http://www.usdoj.gov/ crt/foia/cltr204.txt.

(128.) Id.

(129.) See Ford v. Schering-Plough Corp., 145 F.3d 601 (3d Cir. 1998)

(130.) See Pallozzi v. Allstate Life Ins. Co., 198 F.3d 28 (2d Cir. 1999)

(131.) The Workforce Investment Act of 1998, 105 Pub. L. No. 220, 112 Stat. 936 (1998) (codified at 5 U.S.C. [subsection] 3501-3597 (Supp. V 1999)).

(132.) Information about the Access Board is available from its Web site, at http://www.accessboard.gov.

(133.) 65 Fed. Reg. 80,500 (Dec. 21, 2000) (codified at 36 C.F.R. pt. 1194).

(134.) 36 C.F.R. [section] 1194.3 (2001).

(135.) 105 Pub. L. 277, 112 Stat. 2681 (1998) (codified at 47 U.S.C. [section] 231).

(136.) 47 U.S.C. [section] 231(a).

(137.) Id. [section] 231(e)(6).

(138.) ACLU v. Reno, 31 F. Supp. 2d 473 (E.D. Pa. 1999).

(139.) ACLU v. Reno, 217 F.3d 162 (3d Cir. 2000).

(140.) Ashcroft v. ACLU, 533 U.S. –, 121 S. Ct. 1997 (2001).

(141.) Pub. L. No. 106-554, tit. XVII, 114 Stat. 1763, 2764A-335 (2000).

(142.) Id.

(143.) See Gordon Flagg, Justice Department Defends CHIPA, AM. LIBR., Aug. 1, 2001, at 12.

(144.) 135 F. Supp. 2d 409 (S.D.N.Y. 2001).

(145.) Id. at 410.

(146.) Communications Decency Act of 1996, 47 U.S.C. [section] 230 (Supp. V 1999).

(147.) Gucci, 135 F. Supp. 2d at 417.

(148.) Id. at 413 (quoting 47 U.S.C. [section] 230(e)(2) (Supp. V 1999)).

(149.) 76 F.3d 259 (9th Cir. 1996).

(150.) 955 F.2d 1143 (7th Cir. 1992).

(151.) 985 F. Supp. 949 (C.D. Cal. 1997).

(152.) Gucci, 135 F. Supp. 2d at 416.

(153.) 453 N.W. 2d 569 (Minn. Ct. App. 1990)

(154.) Computer Tool & Eng’g, 453 N.W. 2d at 571.

(155.) Trades Hall Distances Itself from S11 Rally, AAP NEWSFEED, Sep. 4, 2000, available at LEXIS Australian General News Library.

(156.) eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000).

(157.) Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000).

(158.) eBay, 100 F. Supp. 2d at 1060 (quoting eBay’s User Agreement).

(159.) Id. at 1061.

(160.) 15 U.S.C. [section] 1125(a) (1994 & Supp. v 1999).

(161.) 18 U.S.C. [section] 1030 (1994 & Supp. v 1999).

(162.) eBay, 100 F. Supp. 2d at 1058.

(163.) 54 Cal. Rptr. 2d 468 (Cal. Ct. App. 1996).

(164.) 962 F. Supp. 1015 (5.D. Ohio 1997).

(165.) Thrifty-Tel, 54 Cal. Rptr. 2d at 472-73

(166.) Tom Wolverton, Bidder’s Edge Pushes Web Site over Cliff, CNET NEWS.COM (Feb. 15, 2001), at http://www.cnet.com/news/0-1007-200-4834126.html.

(167.) 126 F. Supp. 2d 238 (S.D.N.Y. 2000).

(168.) Id.

(169.) Id. at 248.

(170.) Id. at 255.

(171.) Id. at 251.

(172.) Id. at 253 (citing 18 U.S.C. [section] 1030 (1994 & Supp. V 1999)).

(173.) Brief of Amici Curiae Americans for Fair Electronic Commerce Transactions et al., Register.com v. Verio, 126 F. Supp. 2d 238 (S.D.N.Y. 2000) (No. 00-201), available at http://www.arl.org/info/fm/ copy/verio.html.

(174.) Register.com, 126 F. Supp. 2d at 250 (citing eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 1071 (N.D. Cal. 2000)).

(175.) Id. (quoting declaration of Robert Gardos, Vice President of Technology, Register.com).

(176.) Id. at 253.

(177.) 18 U.S.C. [section] 1030(a) (1994 & Supp. V 1999).

(178.) Id. [section] 1030(a)(2)(C), (5)(C).

(179.) Id. [section] 1030(e)(8).

(180.) United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards, June 10, 1958, 330 U.N.T.S. 3.

(181.) 9 U.S.C. [subsection] 1-14 (Supp. V 1999).

(182.) Id.

(183.) See Allied-Bruce Terminix Cos. v. Dobson, 513 U.S. 265 (1995).

(184.) UNIF. ARBITRATION ACT (1955), 7 U.L.A. pt. 1, at 1 (1997) (for a current table of state adopting statutes, see 7 U.L.A. pt. 1, at 47 (Supp. 2001). The Uniform Arbitration Act was last revised in 2000. See UNIF. ARBITRATION ACT (2000), 7 U.L.A. pt. 1, at 1 (Supp. 2001).

(185.) Volt Info. Scis. v. Bd. of Trs. of Leland Stanford Junior Univ., 489 U.S. 468 (1989).

(186.) Stephen K. Huber, Consumer Arbitration in the United States Supreme Court, 4 J. TEX. CONSUMER L. 267 (2001).

(187.) See, e.g., Jean Sternlight, As Mandatory Binding Arbitration Meets the Class Action, Will the Class Action Survive?, 42 WM. & MARY L. REV. 1 (2001).

(188.) 531 U.S. 79 (2000).

(189.) Id.

(190.) 15 U.S.C. [subsections] 1601-1693o (Supp. V 1999).

(191.) Randolph v. Green Tree Fin. Corp., 991 F. Supp. 1410 (M.D. Ala. 1997).

(192.) Randolph v. Green Tree Fin. Corp.-Ala., 178 F.3d 1149 (11th Cir. 1999).

(193.) Green Tree, 531 U.S. at 92.

(194.) Id.

(195.) Id. at 91.

(196.) Id. at 89.

(197.) Id.

(198.) Id. at 90.

(199.) Id. at 93 (Ginsburg, J., dissenting in part and concurring in part, joined in full by Stevens and Souter, JJ., and joined in part by Breyer, J.).

(200.) See Johnson v. W. Suburban Bank, 225 F.3d 366 (3d Cir. 2000)

(201.) 15 U.S.C. [subsections] 2301-2312 (1994).

(202.) 16 C.F.R. [subsections] 701-703 (2001).

(203.) 15 U.S.C. [section] 2302

(204.) 16 C.F.R. [section] 701.8.

(205.) A party aggrieved by the alleged failure, neglect, or refusal of another to arbitrate under a written agreement for arbitration may petition any United States district court which, save for such agreement, would have jurisdiction … for an order directing that such arbitration proceed in the manner provided for in such agreement…. If the making of the arbitration agreement … be in issue, the court shall proceed summarily to the trial thereof…. If the jury find that no agreement in writing for arbitration was made … the proceeding shall be dismissed. If the jury finds that an agreement for arbitration was made in writing and that there is a default in proceeding thereunder, the court shall make an order summarily directing the parties to proceed with the arbitration in accordance with the terms thereof.

9 U.S.C. [section] 4 (1994).

(206.) No. 00 C 366, 2000 WL 631341, at *7 (N.D. Ill. May 8, 2000).

(207.) Id. at *4.

(208.) E-SIGN section 101(c) provides in part, “if a statute, regulation, or other rule of law requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made available to a consumer in writing …” then the merchant must comply with a series of requirements.

(209.) The consumer consent provisions in section 101(c) of E-SIGN are discussed in detail in WINN & WRIGHT, supra note 4, [section] 5.04.

(210.) See eBay, Company Overview, at http://pages.ebay.com/community/aboutebay/overview/ index.html.

(211.) Amazon.com and Yahoo.com now have major auction sites, and special-interest sites include DanceAuction.com, JustGlass.com, PotteryAuction.com, RockAuction.com, and LoveThatLook.com (for bridal wear). In addition, a large number of auction aggregator sites have sprung up to help consumers compare prices at more than one auction site at a time. See Randall E. Stross, The Auction Economy, U.S. NEWS & WORLD REP., June 26, 2000, at 44.

(212.) In 1997, the FTC received 107 complaints about on-line auction fraud

(213.) Id.

(214.) The eBay User Agreement provides: “eBay is only a Venue…. [O]ur site acts as a venue to allow anyone to offer, sell, and buy just about anything, at anytime, from anywhere…. We are not involved in the actual transaction between buyers and sellers.” eBay User Agreement, at http:// pages.ebay.com/help/community/png-user.html.

(215.) See Amazon.com Auctions, at http://sl.amazon.com/exec/varzea/subst/home/home.html/058-9262414-6457050

(216.) Samer Iskander, Court Blow for French Buyers at Web Auctions, FIN. TIMES (London), May 4, 2000, at 10.

(217.) It appears that one reason Yahoo! was singled out for selling Nazi materials is that other auction sites such as eBay and Amazon.com try to exclude such items from their auction services.

(218.) UEJF v. Yahoo!, Inc., T.G.I. Paris, May 22, 2000, translated at http://www.juriscom.net/txt/ jurisfr/cti/yauctions2000522.htm.

(219.) Id.

(220.) Id.

(221.) See UEJF v. Yahoo!, Inc., T.G.I. Paris, Nov. 20, 2000 (interim court order), translated at http:// www. cdt. org/ speech/ international/001120yahoofrance.pdf (noting the designation of a panel of experts “to enlighten the Court on the various technical solutions that could be implemented by YAHOO! Inc. in order to comply with the order of 22nd May”).

(222.) Id.

(223.) Id.

(224.) Id. (citing a Mediametrie survey carried out in March 2000).

(225.) Id.

(226.) Id.

(227.) Id.

(228.) Yahoo!, Inc. v. La Ligue Contre Le Racisme et L’Antisemitisme (LICRA), 145 F. Supp. 2d 1168 (N.D. Cal. 2001).

(229.) No. 305666, 2000 WL 1705637 (Cal. App. Dep’t Super. Ct. Nov. 1, 2000).

(230.) Id.

(231.) CAL. BUS. & PROF. CODE [section] 17200 (1999).

(232.) 47 U.S.C. [section] 230(c) (Supp. V 1999). For a more complete discussion of the CDA safe harbor for ISPs, see WINN & WRIGHT, supra note 4, [section] 2.02[B].

(233.) Stoner, 2001 WL 1705637, at *1.

(234.) Gentry v. eBay, Inc., GIC746980 (Jan. 18, 2001 Cal. Super. Ct.) (unpublished) (on file with The Business Lawyer, University of Maryland School of Law).

(235.) CAL. CIV. CODE [section] 1739.7 (1999).

(236.) Gentry, GIC746980.

(237.) 17 U.S.C. [section] 512 (Supp. V 1999).

(238.) Id. For a discussion of the provisions of the DMCA and the safe harbor, see WINN & WRIGHT, supra note 4, [section] 12.04.

(239.) See 47 U.S.C. [section] 230 (Supp. V 1999)

(240.) For example, eBay offers its subscribers coverage of up to $200, with a $25 deductible, for documented instances of fraud, eBay estimates that one in 40,000 listings results in a paid claim. Joelle Tessler, eBay Security Personnel Shut Down Thieves, Fraud Artists Who Use Web Site, SAN JOSE MERCURY NEWS, Apr. 8, 2001.

(241.) See, e.g., eBay, Feedback Forum, at http://pages.ebay.com/services/forum/feedback.html

(242.) See FTC, INTERNET AUCTIONS: A GUIDE FOR BUYERS AND SELLERS (Sept. 2000), at http:// www.ftc.gov/bcp/conline/pubs/online/auctions.htm.

(243.) See, e.g., Press Release, FTC, Internet ‘Entrepreneur’ Sentenced For Wire Fraud (Feb. 17, 1999), available at http://www.ftc.gov/opa/1999/9902/hare3.htm.

(244.) See generally, WINN & WRIGHT, supra note 4, ch. 14.

(245.) 15 U.S.C. [subsection] 6501-6506 (Supp. V 1999).

(246.) Id. [subsection] 6501(8), 6502.

(247.) Pub. L. No. 106-102, [subsection] 501-510, 113 Stat. 1338 (1999).

(248.) Id. [section] 502(b).

(249.) 16 C.F.R. [section] 312 (2001).

(250.) Id. [section] 312.10(a).

(251.) Id.

(252.) Id.

(253.) Id.

(254.) Id. [section] 312.10(b).

(255.) Press Release, FTC, Entertainment Software Rating Board Awarded “Safe Harbor” Status (Apr. 19, 2001), available at http://www.ftc.gov/opa/2001/04/esrb.htm.

(256.) JOSEPH TURLOW, THE ANNENBERG PUB. POLICY CTR. OF THE UNIV. OF PA., PRIVACY POLICIES ON CHILDREN’S WEBSITES: DO THEY PLAY BY THE RULES?, Mar. 2001, available at http:// www.appcpenn.org/reports/2001/index.asp.

(257.) Id. at 2.

(258.) Press Release, FTC, Web Sites Warned to Comply with Children’s Online Privacy Law (July 17, 2000), available at http://www.ftc.gov/opa/2000/07/coppacompli.htm.

(259.) Press Release, FTC, FTC Announces Settlements with Web Sites That Collected Children’s Personal Data Without Parental Permission (Apr. 19, 2001), available at http://www.ftc.gov/opa/2001/ 04/girlslife.htm.

(260.) Id.

(261.) See, e.g., Julia Angwin, New Children’s Privacy Rules Pose Obstacles For Some Sites, WALL ST. J., Apr. 24, 2000, at B8.

(262.) Pub. L. No. 106-112, 113 Stat. 1338 (1999).

(263.) The Banking (Glass-Steagall) Act of 1933, ch. 89, sec. 1, 48 Stat. 162 (1933) (codified as amended in scattered sections of 12 U.S.C.).

(264.) 15 U.S.C. [subsection] 6801-6809 (Supp. v 1999).

(265.) Id. [section] 6802(a).

(266.) Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art. 25, 1995 O.J. (L 281) 31 [hereinafter DP Directive].

(267.) Id. at 32.

(268.) Id. at 49.

(269.) See European Union Commission, Status of Implementation of Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data, at http:// europa. eu. int /comm/ internal_market /en/dataprot/law/impl.htm.

(270.) DP Directive, supra note 266, at 31, 38.

(271.) Id. at 45-46.

(272.) Id.

(273.) Id. at 46.

(274.) See generally European Union Commission, Data Protection: Background Information (Nov. 3, 1998), at http:// europa. eu .int/ comm/internal_market/en/dataprot/backinfo/info.htm.

(275). U.S. DEP’T OF COMMERCE, WELCOME TO THE SAFE HARBOR, at http://www.export.gov/safeharbor.

(276.) Id.

(277.) U.S. DEP’T OF COMMERCE, SAFE HARBOR OVERVIEW, at http://www.export.gov/safeharbor/ sh_overview.htm.

(278.) Id.

(279.) Commission Decision 2000/520, 2000 O.J. (L 215) 7.

(280.) Id. at art. 4.

(281.) See Patrick Thibodeau, Big Companies Urge Congress to Show Restraint on Privacy Matters (July 30, 2001), at http:// www. computerworld. com/cwi/story/0,1199,NAV47_STO62662,00.html.

(282.) DP Directive, supra note 266, at 46.

(283.) Id.

(284.) Commission Decision 2001/497, 2001 O.J. (L 181) 19, 24.

(285.) Id. at 21.

(286.) The European Union Commission, Draft Commission Decision on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (Mar. 27, 2001), at http://europa.eu.int/comm/ internal_market/en/dataprot/news/clausesdecision.htm.

(287.) The European Union Commission, Standard Contractual Clauses for the Transfer of Personal Data to Third Countries-Frequently Asked Questions (2001), at http://europa.eu.int/comm/internal_ market/en/dataprot/news/clauses2faq.htm#6.

(288.) OFFICE OF THE INFO. & PRIVACY COMM’R/ONTARIO & OFFICE OF THE FED. PRIVACY COMM’R OF AUS., WEB SEALS: A REVIEW OF ONLINE PRIVACY PROGRAMS, available at http://www.privacy.gov.au/ publications/seals.html.

(289.) Id. Executive Summary–Methodology

(290.) Id.

(291.) Id. Executive Summary–Results.

(292.) Id.

(293.) Id. [section] 5.2.

(294.) Id.

(295.) Id.

(296.) See, e.g., Norman Y. Mineta, Secretary of Commerce, Remarks at Online Privacy Technologies Workshop and Technology Fair (Sept. 19, 2000), available at http://www.ntia.doc.gov/ntiahome/ privacy/900workshop/mineta91900.htm

(297.) Information about P3P is available at http://www.w3.org/P3P

(298.) Id. (“P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.”).

(299.) See George A. Chidi Jr., Microsoft Beefs up IE’s Security (Mar. 21, 2001), available at http:// www.pcworld.com/resource/printable/article/0,aid,45162,00.asp.

(300.) See, e.g., The European Union Commission, Working Party, Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS) (June 16, 1998), available at http://europa.eu.int/comm/ internal_market/en/dataprot/wpdocs/wp11en.htm (draft opinion).

(301.) W3C INITIATIVE, MAKE YOUR WEB SITE P3P COMPLIANT, at http://www.w3.org/P3P/ details.html (last modified Oct. 24, 2001).

(302.) RESTATEMENT (SECOND) OF CONTRACTS [section] 77 (1981).

(303.) Amazon.com Privacy Notice, available at http:www.amazon.com/exec/obidos/tg/browse/-/ 468496/107-7656351-4077340.

(304.) Letter from Jason Catlett, President, Junkbusters & Marc Rotenberg, Executive Director, EPIC, to Jodie Z. Bernstein, Director, FTC (Dec. 12, 2000), available at http://www.junkbusters.com/ht/en/ amazon.html.

(305.) Id.

(306.) FTC: Amazon Privacy Switch Didn’t Break Law, REUTERS, May 25, 2001, at http://www. zdnet.com/zdnn/stories/news/0,4586,5083551,00.html?chkpt = zdnn_rt_latest.

(307.) See supra notes 245-50 and accompanying text.

(308.) Press Release, RealNetworks, RealNetworks’ RealPlayer Surpasses 115 Million Unique Registered Users (Apr. 10, 2000), at http:// realnetworks. com/ company/ press/ releases/ 2000/player115.html.

(309.) Steve Lohr, Internet Companies Set Policies to Help Protect Consumer Privacy, N.Y. TIMES, Nov. 5, 1999, at C1.

(310.) Lieschke v. Realnetworks, Inc., No. 99 C 7274, 99 C 7380, 2000 WL 198424 (N.D. Ill. Feb. 11, 2000).

(311.) 18 U.S.C. [section] 1030 (1994 & Supp. V 1999).

(312.) 18 u.s.c. [subsection] 2701-2711 (1994 & Supp. V 1999).

(313.) No. 00 C 366, 2000 WL 631341, at *7 (N.D. Ill. May 8, 2000) (unpublished).

(314.) Fred Vogelstein, The Internet’s Busybody, U.S. NEWS & WORLD REPORT, Mar. 6, 2000, at 39.

(315.) In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001).

(316.) Press Release, DoubleClick, Inc., DoubleClick Inc. and Abacus Direct Corporation to Merge in a $1 Billion Stock Transaction (June 14, 1999), available at http://www.doubleclick.net/us/corporate/ presskit/press-releases,asp?asp_object_1 = &press%5Frelease%5Fid = 2327.

(317.) EPIC, Complaint and Request for Injunction, Request for Investigation and for Other Relief, In re DoubleClick, Inc. (2000), available at http://www.epic.org/news.

(318.) Pamela Parker, DoubleClick Drops Controversial Plan, INTERNETNEWS (Mar. 2, 2000), at http:// www.internetnews.com/bus-news/article/0,,3_314401,00.html.

(319.) Stefanie Olsen, FTC Drops Probe into DoubleClick Privacy Practices, CNET NEWS (Jan. 22, 2001), at http://news.cnet.com/news/0-1005-200-4563509.html?tag = unkn.

(320.) Stefanie Olsen, DoubleClick Climbs After Privacy Probe Ends, CNET NEws (Jan. 23. 2001) http://news.cnet.com/news/0-1005-200-4573419.html.

(321.) In re America Online, Inc. Version 5.0 Software Litig., No. 00-1341-GOLD-DUBE, 2001 U.S. Dist. LEXIS 6595 (S.D. Fla. Apr. 19, 2001).

(322.) In re Intuit Privacy Litig., 138 F. Supp. 2d 1272, 1282 (C.D. Cal. 2001).

(323.) Id. at 1281-82.

(324.) See supra notes 302-06 and accompanying text.

(325.) See Smiffed: Amazon-Alexa Data Collection Could Bubble over, PRIVACY TIMES (Jan. 5, 2000), available at http//www.privacytimes.com/NewWebstories/alexa_priv_1_5.htm (quoting a portion of zBubbles’ privacy statement).

(326.) Letter from C. Lee. Peeler, Associate Director of the FTC’s Division Advertising Practices, to David A. Zapolosky, Esq., Associate General Counsel, Litigation, Amazon.com, and Barry J. Reingold, Esq., Perkins Coie, LLP (May 25, 2001), available at http://www.ftc.gov/os/closings/staff/ amazonletter.htm.

(327.) Id.

(328.) Id.

(329.) Id.

(330.) Id.

Jane K. Winn, Professor, Dedman Law School, Southern Methodist University, Dallas, Texas. Some of the material in this article is drawn from the forthcoming 2002 annual supplement to JANE K. WINN & BENJAMIN WRIGHT, THE LAW OF ELECTRONIC COMMERCE (4th ed. 2001).