The legal Web of wireless transactions

I. INTRODUCTION

For consumers, the flexibility and freedom afforded by wireless handheld devices such as Palm[TM] and BlackBerry[TM], mobile phones, and even watches with wireless capabilities, provide an “untethered,” “ubiquitous,” and “unbounded” lifestyle. (1) For businesses, the wireless medium creates a new venue for their services and products, one in which businesses can furnish information to and collect valuable information from and about consumers conducting wireless transactions. Although the recently slowing economy has caused some companies to scale back their mobile commerce initiatives, (2) most experts see wireless transactions, also known as “mobile commerce” or “m-commerce,” as the future of technologically advanced business transactions. (3) Given the growth projected for this market, businesses will inevitably make large investments in order to secure a niche in the wireless world. (4)

Thus, for businesses that supply information, products, or services via the Internet and wish to reach a broader audience on a real-time basis, the wireless Web presents an innovative opportunity. At the same time, this new way of transacting business brings legal challenges that require thoughtful planning. In developing mobile commerce initiatives, businesses face two compelling and distinctive legal issues in particular. First, they must comply with the privacy and security regulations that govern wireless transactions in both the United States and, if the business is global, overseas. Second, businesses must ensure that their wireless transactions with customers comply both with traditional contract law and the growing number of record retention requirements related to electronic transactions. This Article analyzes these two pressing legal issues in depth so that such businesses can steer clear of the hazards they pose to their m-commerce initiatives. (5)

II. PRIVACY AND SECURITY

Businesses that hope to win wireless consumer confidence and increase participation in the new wireless marketplace must minimize consumer privacy and security concerns. Ensuring privacy on the wireless Web means complying with laws regarding the collection and use of “personally identifiable information” about wireless customers and dealing with the legal consequences of “location technology,” a unique feature of wireless devices. Ensuring the security of m-commerce means protecting customers from unauthorized “eavesdroppers” and those who might use information transmitted wirelessly for unauthorized or fraudulent purposes. However, in light of the September 11, 2001, terrorist acts, Americans may be more tolerant of, and the U.S. Government may be more insistent upon, incursions into areas that were typically perceived as private. The terrorist acts may therefore have a liberating effect on privacy laws, but only time will tell.

A. Ensuring the Privacy of M-Commerce

The increased popularity of mobile commerce (“m-commerce”) raises unique privacy issues in two ways. First, the design of wireless devices creates technical problems for wireless businesses seeking to abide by privacy laws protecting customer information. Second, the location-tracking ability of wireless networks raises privacy concerns about “Big Brother” and about unsolicited advertising while at the same time it creates exciting possibilities for government and business use.

1. Protecting Personally Identifiable Customer Information

A variety of federal and state laws govern the collection and use of personally identifiable information. (6) Most of these laws apply only to government entities or particular industries. (7) Two appear most relevant to wireless transactions: the Children’s Online Privacy Protection Act (“COPPA”) and the Gramm-Leach-Bliley Financial Modernization Act (“GLBA”). (8) In addition, the Federal Trade Commission (“FTC”) has promulgated five “Fair Information Practice Principles,” which have a direct bearing on m-commerce privacy concerns. (9) Wireless industry groups have also published advisory principles on privacy in an effort at self-regulation. The next four sub-sections examine, in turn, the two federal statutes, the FTC principles, and industry self-regulation in the form of advisory opinions, and a fifth sub-section then discusses the difficulties in applying these laws and principles to handheld wireless devices.

a. The Children’s Online Privacy Protection Act

Teenagers in the United States represent a significant untapped market for the wireless industry. Wireless businesses have responded by beginning to develop and market mobile devices to teenagers, and these efforts will probably cause the number of users under the age of thirteen to increase. (10) Given the rise in use of wireless devices by youngsters, businesses participating in wireless transactions need to know and comply with the regulations of the COPPA. The COPPA, passed by Congress with the FTC’s strong recommendation, regulates the collection, use, and disclosure by Internet website operators of personally identifiable information of children under the age of thirteen. (11) Although the COPPA refers to conventional Internet transactions, the strong public policy underlying the law to protect and regulate information collected from children would likely apply to wireless Web functions as well as traditional online environments.

The COPPA, effective April 1, 2000, creates certain duties for website operators, provides a safe harbor, and defines various terms. With regard to duties, the COPPA requires that website operators who either direct their sites to children or who know they are collecting information from children take the following five actions: First, provide parents with conspicuous notice of what information is collected, how the information will be used, and the website’s disclosure practices. Second, obtain prior, verifiable parental consent for the collection, use, and disclosure of personal information from children (with limited exceptions). Third, provide parents the opportunity to view and prevent further use of personal information previously collected. Fourth, limit the amount of information that a child must provide to participate in a game, prize offer, or other activity to information that is reasonably necessary for that activity. Fifth, establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. (12)

The COPPA provides a safe harbor if a website operator complies with any of the sets of self-regulatory guidelines issued by representatives of the marketing or online industries, that, after notice and comment, have been approved by the FTC. (13)

The COPPA defines several of its terms. An “operator” is “any person who operates a website located on the Internet or an online service….” (14) The “Internet” is “the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.” (15)

b. The Gramm-Leach-Bliley Financial Modernization Act

A second statute affecting wireless privacy issues is the GLBA, which governs the collection, use, and dissemination of non-public consumer financial information by financial institutions. (16) While the GLBA specifically targets only “financial institutions,” (17) the statute defines financial institution in extremely broad terms and would likely apply the term to many companies not traditionally categorized as financial institutions, (18) including businesses with wireless offerings. Thus, businesses participating in wireless transactions should be aware of the GLBA requirements.

Under the GLBA, financial institutions must perform the following three duties regarding non-public consumer financial information: First, provide clear and conspicuous notice to consumers of the institution’s privacy policy upon establishing the customer relationship and at least annually thereafter. (19) Second, obtain consent from consumers before disclosing a consumer’s non-public personal information to non-affiliated third parties. (20) Third, provide a reasonable method for consumers to “opt out” of such disclosures to non-affiliated third parties. (21)

As of July 1, 2001, compliance with the GLBA’s obligations is no longer voluntary.

c. The Federal Trade Commission’s Five Fair Information Practice Core Principles

In addition to abiding by the COPPA and the GLBA, the privacy policies of wireless businesses should also comply with guidelines published by the FTC. In 1998, the FTC established five fair information practice “core principles” in an effort to address the overwhelming public concern over Internet privacy. (22) The FTC adopted the five principles after reviewing numerous studies, documents, and reports generated from governmental agencies in the United States, Canada, and Europe. (23) Traditionally a proponent of self-regulation in lieu of legislation, the FTC hoped that online and offline entities would voluntarily adopt these principles to address consumer privacy. Studies conducted in 1999 and 2000, however, revealed that a vast majority of the websites surveyed had not implemented the principles. (24) In light of the industry’s failure to implement effective self-regulatory efforts, the FTC recently recommended additional legislation to fully protect consumers’ personal information. (25) Given the overwhelming pressure the public and the FTC have placed on legislators to pass more significant privacy laws, businesses participating in wireless transactions should adopt the FTC’s five principles and keep abreast of new legislative proposals to avoid running afoul of the new laws that will be inevitably enacted.

The FTC’s five core principles:

Notice/Awareness. This principle requires that an entity notify consumers of its information practices before collecting any personal information. Notification includes the identity of the entity collecting the information, the type of data collected, the uses to which the data will be put, and the potential recipients of the data. (26)

Choice/Consent. This principle mandates that consumers be given a choice as to how any personal information collected from them may be used. According to this principle, “[i]n order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.” (27)

Access/Participation. This principle requires that consumers receive an opportunity to access and correct the information an entity collects about them. The principle explains:

[t]o be meaningful, access must encompass timely and
inexpensive access to data, a simple means for contesting
inaccurate or incomplete data, a mechanism by which the
data collector can verify the information, and the means
by which corrections and/or consumer objections can be
added to the data file and sent to all data recipients. (28)

Integrity/Security. Under this principle, personal data must be kept reasonably secure and updated. The principle notes: “[s]ecurity involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.” (29)

Enforcement/Remedies. According to this principle, entities should appropriately enforce and remedy breaches of the other four principles. (30)

In addition to the FTC’s advisory principles, the wireless industry itself has shown its concern for customer confidence regarding privacy by producing guidelines on the subject. The next section discusses those guidelines.

d. Industry Efforts at Self-Regulation

Recognizing the great interest the wireless industry has in setting standards that make consumers comfortable, a number of professional wireless industry organizations have promulgated their own rules regarding privacy and security. Three groups in particular have taken the lead in promulgating self-regulation: the Wireless Advertising Association (“WAA”), the Network Advertising Initiative (“NAI”), and the Wireless Location Industry Association (“WLIA”). These self-regulation efforts, explained more fully in the next several paragraphs, not only highlight the importance of consumer choice, but also help set the stage for an inevitable, and more binding, regulatory regime. In view of this self-regulation, wireless businesses and industry organizations will likely not, and should not, resist efforts by legislators to increase consumer privacy protections.

The first of the groups mentioned above, the WAA, has developed the Guidelines on Privacy and SPAM, which are voluntary and favor wireless subscribers controlling their personally identifiable information. (31) The WAA seeks to create a climate of trust with consumers regarding the treatment of consumer privacy in order to maintain opportunities to provide diverse content in the wireless environment. Consequently, the guidelines call for a higher level of consumer permission, particularly for wireless “push” applications. (32) These guidelines also restrict the use of location information, which is more fully discussed in section I.B. of this article.

The NAI has promulgated its own guidelines, the Self-Regulatory Principles for Online Marketing for Network Advertisers, which were endorsed by the FTC and the Department of Commerce on July 27, 2000. (33) These principles protect three types of online user data:

* non-personally identifiable information

* data that results from combining a Web user’s name, e-mail address, or other personal information with information about her Internet usage across web-sites

and

* data that results from merging personally identifiable information collected offline and online. (36)

Lastly, the WLIA has established guidelines for its members to set acceptable standards for protecting the privacy of wireless consumers’ location data (location data, as noted, is discussed more fully in section I.B.).

e. Legislative and Regulatory Compliance Challenges for Wireless Devices

However much the COPPA, the GLBA, the FTC’s five privacy principles, and industry self-regulation help protect consumer privacy, the design and limited functionality of most handheld wireless devices today create at least three challenges for concerned online businesses. The first compliance challenge comes from the notification requirements in the COPPA, the GLBA, and the FTC’s principles. All three regulatory schemes require that covered entities notify the consumer of the entity’s information collection and use policies. Although in a traditional online environment these disclosure requirements can be easily met by displaying the policy on the company website, the prominent display of a company’s privacy policy will be difficult on the smaller screens of wireless devices. Scrolling through a three-page privacy policy on today’s handheld wireless devices would consume time and frustrate consumers.

To tackle this first challenge, some organizations propose that the wireless device simply provide the address of a website where the consumer could see the company’s privacy policy or a telephone number where the consumer could call to request a copy of the policy. However, these solutions pose at least three problems. First, not everyone who has a handheld wireless device, such as a mobile phone, will have access to a computer. Second, it is impractical for a consumer to postpone a wireless transaction until he or she has requested, received, and agreed to the privacy policy. Indeed, such delay negates the convenience aspect of wireless transactions. Finally, the COPPA and the GLBA require “conspicuous” notice, which may mean immediate access to the privacy policy.

The second compliance challenge for wireless devices will be to meet the COPPA’s parental review requirement. The COPPA requires that businesses provide parents with an opportunity to review and prevent further disclosure of information collected online from their children. Wireless devices, such as cellular phones and personal digital assistants (“PDAs”), are often considered more personal than a household computer and thus, not routinely shared among family members. Businesses that target children will have to provide alternative means for parents to view their children’s information, and if necessary, revise the information.

The Access/Review and Choice/Consent requirements of the GLBA and the FTC principles create a third compliance challenge for wireless business providers. Not only are the screen displays on handheld wireless devices miniature, but their keyboards–if they have keyboards–are typically extremely small and often of limited function. A consumer will need alternative means for reviewing and correcting the data collected and for communicating to the business what information he or she does not want to share.

In fact, many in the industry have already recognized that the small screens and limited functionality and technology of today’s wireless devices are impeding the business success of wireless transactions. (37) One possible solution to the small screen size: allow a handheld device user to “take over” a strategically placed monitor via an infrared signal between the two. For example, a retail establishment might use such monitors so that a handheld user could view terms and conditions or other potential visuals related to the sale of an item. According to Glover Ferguson, Chief Scientist for Accenture L.L.P., this concept, albeit in nascent stages, is being piloted in Europe. (38) The drawback, of course, would be the need for strategic placement of such monitors, perhaps in publicly available kiosks or elsewhere. As businesses continue to explore and research new business models and technologies to make wireless transactions more convenient, faster, and consumer-friendly, they should also continue to monitor the current and evolving privacy regulations, as well as develop applications that will assist them in complying with the COPPA, the GLBA, the FTC’s five privacy principles, and their own self-regulation efforts.

2. Privacy Concerns regarding the Collection and Use of Location Information

Equally as important as the need for m-commerce providers to safeguard personally identifiable customer information is the privacy concern posed by location technology. The unique ability of wireless networks to track the movements of their customers makes the wireless devices those customers carry potential conduits for highly targeted, unsolicited advertisements. Yet businesses seeking to take advantage of location technology must heed several privacy-type laws. This section gives an overview of the technology and its potential uses, describes the current laws regulating those uses, and then looks at proposed legislation and the wireless industry’s self-regulation on the subject.

a. Overview of Location Technology

Location technology literally allows carriers and vendors (39) to track the physical movements of end users. Coupled with a wireless user’s browsing and purchasing profiles, such as those gathered by websites like Amazon.com or by stores that track purchases with membership discount cards, location technology has enormous potential commercial implications. This overview looks briefly at how it works and the uses to which the technology might be put.

(i) How Location Technology Works

Location technology typically pinpoints an end user’s location using one or a combination of three methods: signal triangulation, radio wave angle-of-arrival measurements, or global positioning system measurements. Triangulation involves measuring the distance of a caller from two or three communication towers based on the length of time it takes the signal to reach the different towers. Angle-of-arrival technology determines the point of origin by matching against a database of pattern variations the patterns created as radio waves emitted by a particular cell phone bounce off buildings and arrive at a communications tower. The global positioning system (“GPS”) uses satellites that orbit the Earth to measure the distance from a GPS receiver that is built into the wireless device, for example, handset-based technology. This technology is often used in vehicles for mapping applications. (40)

Consumers cannot prevent tracking by triangulation and angle-of-arrival technology–both network-based technologies–unless they turn off the wireless device. In contrast, GPS technology allows a user to turn off the location chip except when dialing 911.

(ii) Current and Potential Uses For Location Technology

Consumers already widely use several location-based wireless devices, such as mobile navigational tools. (41) Other applications being developed for widespread deployment include those that:

* allow emergency operators to locate and respond to emergency calls from wireless devices

* send advertisements, coupons, or other targeted information (such as shopper alerts or appointment and reservation openings) to consumers over wireless devices

* gather data about consumers’ purchases and movements for market research purposes

* provide automatic access to data networks in a consumer’s immediate vicinity to allow the consumer to bypass, or complete herself, traditionally time-consuming and labor-intensive transactions

* enable employers to monitor employee productivity and movement, and to deploy resources more efficiently in response to their customers’ needs.

Although technology companies have been racing to develop the next “killer application,” consumer fears have been fueled by warnings of an onslaught of unsolicited advertisements delivered to wireless devices and an omnipresent “Big Brother” who can monitor their every move. (43) As a result, public policy has already begun to address growing consumer concerns about the availability of location-based data. Thus, carriers, vendors, and application developers should consider carefully how location-based services and applications would fit into the privacy regulatory regime for wireless devices. (44) The next section examines the current laws on this subject.

b. Current Federal Laws Regarding Location-Based Information

At least four federal statutes contain language that might affect how m-commerce businesses collect and use location information. Those statutes are the 1999 Wireless Communications and Public Safety Act (“WCPSA”), the 1996 Telecommunications Act, the Telephone Consumer Protection Act (“TCPA”), and the Telemarketing and Consumer Fraud and Abuse Prevention Act (“TCFAPA”).

(i) The 1999 Wireless Communications and Public Safety Act

The WCPSA (45) was enacted in part to protect wireless consumer privacy from location technology and to make possible the accurate deployment of wireless 911 service. (46) Ironic in light of its privacy concerns, the statute has been a catalyst for the development of location technology. Pursuant to its provisions, the Federal Communications Commission (“FCC”) has issued a mandate and three subsequent reports and orders that require carriers to implement tracking technology. Phase II of the mandate, as amended by the Third Report and Order, required that by October 2001, all carriers begin deployment of technology that will enable them to locate the origin of 911 calls within 150 meters of wireless devices that use hand-set based technology and within 300 meters of wireless devices that use network-based technology. (47) Efforts by carriers to comply with these location-tracking requirements have also spawned the search for commercial applications for this new technology.

(ii) The 1996 Telecommunications Act

The 1996 Telecommunications Act (48) imposes a duty on carriers to protect the confidentiality of customer proprietary information. It also prohibits carriers from using, disclosing, or permitting access to individually identifiable customer proprietary network information (49) for any purpose other than for providing services for which the information was collected, unless required by law or approved by the customer. (50) The Telecommunications Act, as amended by the WCPSA, specifically states that carriers must obtain the customer’s express prior authorization to use, disclose, or provide access to call location information. The Act does not clearly state whether it applies to PDAs, such as handheld wireless devices, although the FCC has specifically exempted PDAs from its WCPSA mandate regarding 911 services. (51) To be safe, carriers and vendors seeking to use location information for wireless applications should first obtain the consumers’ consent whether or not the wireless device is subject to the legislation.

(iii) The Telephone Consumer Protection Act

The TCPA (52) imposes at least two restrictions that may affect those vendors and carriers using location technology to automatically send advertisements and other notifications to consumers based on their proximity to a particular vendor. First, the TCPA prohibits any person from making a call, other than for emergency purposes, “[u]sing any automatic telephone dialing system or an artificial or prerecorded voice … to any telephone number assigned to a paging service cellular telephone service, special mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call.” (53) “Automatic telephone dialing system” is defined as equipment that has the capacity to produce telephone numbers to be called, using a random or sequential number generator, and to dial such numbers. (54) Second, the TCPA requires that all artificial or prerecorded telephone messages clearly state at the beginning of the message the identity of the business, individual, or other entity initiating the call and the telephone number and address of such business at the end. (55)

The TCPA does not pre-empt state laws that restrict telephone solicitations and unsolicited advertisements more stringently than the TCPA. Such state laws may expressly prohibit some of the wireless transactions contemplated by vendors and should be examined more closely by vendors before engaging in wireless solicitations. For violations of the TCPA, consumers have a right to (i) enjoin activities that violate the Act, (ii) recover for actual monetary loss, or (iii) receive $500 in damages for each violation. (56) If the court finds that the defendant acted willfully or knowingly, the award may be increased up to three times the amount of damages to which the plaintiff is entitled. (57)

Whether the TCPA’s requirements apply to text messages sent to wireless devices or to transmissions sent to PDAs is uncertain. Whatever the answer to this question, lawmakers will need to reconsider the public policy underlying the TCPA to protect consumers from unsolicited advertising and invasions of privacy in light of the new wireless environments and applications. Examples of legislation currently being proposed are discussed after the following brief look at the TCFAPA.

(iv) The Telemarketing and Consumer Fraud and Abuse Prevention Act

The TCFAPA (58) was enacted to protect consumers from telemarketing deception and abuse, but it may also affect certain proposed location-based wireless applications. This Act authorizes the FTC to promulgate rules regarding abusive telemarketing acts or practices including “a requirement that telemarketers may not undertake a pattern of unsolicited telephone calls which the reasonable consumer would consider coercive or abusive of such consumer’s right to privacy.” (59) Wireless devices are not specifically mentioned in the Act, but telemarketing is defined broadly to include “a plan, program, or campaign which is conducted to induce purchases of goods or services … by use of one or more telephones and which involves more than one interstate telephone call.” (60) Violations of the Act may result in a civil action by a state or individual (if the amount in controversy exceeds $50,000 in actual damages for each person adversely affected) to enjoin such telemarketing, to enforce compliance, and to obtain damages, restitution, or other compensation. (61)

c. Proposed Legislation and Industry Self-Regulation Relating to Location Information

As location technology further develops, wireless users and businesses can expect to see more legislation directly targeting the privacy concerns generated by location-based applications. This section examines both proposed legislation and industry self-regulation, which often serves as a precursor and a model for legislation.

(i) Proposed Legislation Concerning Location Information Both federal and state legislators show increasing interest in the use of location technology. Legislators seem particularly concerned with protecting consumers from unsolicited electronic advertising, which the industry generally calls “push messaging,” but which commentators have dubbed “telespam.” (62) The availability of location-based data on wireless users and the ability to send those users targeted advertising tailored to their purchasing and movement profile makes telespamming a hotly contested issue for the m-commerce industry.

At least four bills on this topic have been introduced. At the federal level, for example, the Wireless Telephone Spam Protection Act, introduced by Representative Rush Holt (D-NJ), proposes to criminalize sending a solicitation to a wireless device without the consumer’s express permission. (63) A similar bill, the Wireless Privacy Protection Act of 2001, introduced by Representative Rodney Frelinghuysen (R-NJ), proposes to require that wireless carriers have consumers’ written consent before tracking and using their location information or other personally identifiable information. (64) The Location Privacy Protection Act, introduced on July 11, 2001, by Senator John Edwards (D-NC), would require carriers to inform end users “with clear and conspicuous notice” of their collection, use, disclosure, and retention policies regarding location information. (65) Edwards’s proposed law would also require that carriers obtain the end user’s consent before disclosing location information to third parties. (66) A fourth bill, the Freedom from Behavioral Profiling Act, would amend the GLBA, discussed in section II.A.1.b of this article, to provide for a limitation on sharing of marketing and behavioral profiling information, which includes the use of location information. (67)

In addition to these federal bills, many states are considering laws that would influence the use of location-based information. In Washington, for example, the state legislature is considering a bill that would let a citizen pay a ten dollar fee to be on a no-call list for telephone marketing that would include wireless advertising. (68) Businesses participating in the wireless market should closely watch the development of these bills and other legislation that may be introduced in this area. However, these businesses should also pay attention to the industry’s own guidelines, which could become tomorrow’ s laws.

(ii) Industry Self-Regulation of Location Information

Like the legislators discussed in the last section, the wireless industry has also shown a growing concern about the possible misuse of push messaging. In fact, the Privacy Foundation has predicted that technology companies, in concert with federal regulators, will be able to keep telespam at bay by setting industry standards that maintain the consumer’s choice to receive text messages. (69) Both the WAA and the WLIA have addressed the problem. The WAA guidelines, discussed in section II.A.1.d, require that member advertisers and marketers clearly instruct consumers on how to avoid push messaging, although the guidelines do not classify location information as “personally identifiable information.” In addition, as also mentioned in section II.A.1.d, the WLIA has established guidelines for its members to set acceptable standards for protecting the privacy of wireless consumers’ location data.

B. Ensuring The Security of The Wireless Web

In addition to the challenge of ensuring privacy for wireless customers described in the last section, businesses pursuing m-commerce initiatives will face the challenge of providing reasonable security for transactions occurring over wireless devices. One security specialist recently quoted in the Wall Street Journal estimates that “a majority of the wireless networks in operation today have no security whatsoever.” (70) Providing security will require m-commerce businesses to address two problems. First, businesses will need to develop technologies to prevent unauthorized “eavesdropping” on wireless transmissions, because wireless communications via radio signals are more easily intercepted than transactions made via cable wires. (71) Second, in order to prevent unauthorized wireless transactions from stolen or lost wireless devices, m-commerce companies will have to install appropriate safeguards, such as password protection or a pin number, that will authenticate a user’s identity. Businesses that fail to implement the latest technologies available to secure and protect wireless communications will likely face consumer distrust and legal actions relating to consumer privacy.

III. CONFORMING WIRELESS TRANSACTIONS TO TRADITIONAL CONTRACT LAW AND RETAINING ADEQUATE RECORDS

Companies that solve the privacy and security issues raised by their m-commerce initiatives still face the more fundamental challenge of doing business wirelessly. That challenge, discussed in this section, is twofold: how to ensure that wireless transactions meet the standards of traditional contract law and how to retain adequate, lawful records of those transactions. Section III.A describes the contract law challenges, while section III.B discusses the record retention issues.

A. Applying Contract Law Principles to Wireless Transactions

In order to be binding, wireless transactions require the same elements of proof as any other transaction. In particular, the parties wishing to be bound must mutually agree upon specific terms and conditions governing a transaction. (72) In addition, the parties must be able to authenticate the transaction in the event a dispute arises concerning the transaction. For m-commerce to thrive, wireless vendors and carriers must solve these contract problems of agreement and authentication. First, they must devise ways to clearly convey the terms and conditions of wireless transactions. Second, they must give customers a way to make their agreement to those terms unmistakable and authentic through their handheld wireless devices. In both of these tasks, the limited functionality of today’s wireless devices creates significant challenges.

1. Conveying Terms and Conditions for Wireless Transactions

According to the basic tenets of contract law, a wireless vendor or carrier must convey the specific terms and conditions governing a wireless transaction to the consumer. (73) Only with great difficulty, however, will the small screen of most wireless devices today display all of the terms and conditions typically associated with electronic transactions. Those terms and conditions often consist of rules for purchasing the product or service, warranty disclaimers, indemnity provisions, limitation of liability clauses, and forum selection clauses. Typically, when parties purchase and sell goods and services via the Internet, the terms and conditions governing such transactions are displayed on a webpage. This information is often displayed either on the page where the buyer or seller will indicate his or her assent to the deal, or, is available through a link placed at the bottom of a website’s homepage, among other places. These terms and conditions are often quite lengthy. (74)

Another obstacle is presented by Article 2 of the Uniform Commercial Code (“UCC”), which requires “conspicuous terms and conditions” for a sale of goods. (75) A “conspicuous term or condition” is one that is “so written that a reasonable person … ought to have noticed it.” (76) For example, the UCC provides that “language in the body of a form is `conspicuous’ if it is in a larger or other contrasting type or color.” (77) Thus, businesses concerned with wireless transactions are faced with the following dilemma: How can a vendor or service provider adequately convey the conspicuous terms when using such a small device?

Although no definitive answer currently exists to this question, wireless vendors and carriers might try one of the following four solutions to fulfill the “conspicuous” requirement:

* Display on the wireless device that the terms and conditions governing the transaction are on the original website and offer a hyperlink to the original website

* Provide a sound/audio disclaimer directly on the wireless device

* Connect an infrared signal to a strategically placed monitor via a hand-held device

* Mail, fax, or e-mail the terms and conditions to an address or facsimile machine provided by the wireless device user, forcing the user to review and agree to the terms and conditions before receiving the product or service. (79)

2. Assenting to and Authenticating the Terms and Conditions of Wireless Transactions

Under traditional contract law, in order for a wireless transaction to become binding, both parties must assent to its terms. (80) Thus, once the terms and conditions have been sufficiently conveyed to the end user of a wireless device, the user must manifest his or her assent to those terms in some unmistakable way. (81) Mutual assent may be manifested in writing, orally, or by conduct. (82) Therefore, a principal question is: what type of conduct manifests assent to the terms of a wireless contract? (83) A related problem also exists: how does a party seeking to enforce a wireless transaction establish that the other party (whose only connection to the first party may have been through wireless devices) was, in fact, the person who agreed to be bound by the contract? The solution to the first problem may lie in so-called “click-wrap” agreements while the solution to the second problem may require some sort of electronic signature or verification procedure.

With regard to the first question, no judicial decision answers this question conclusively. However, an analysis of recent decisions involving the enforceability of click-wrap agreements sheds some light on an answer. (84) Click-wrap agreements are agreements where the terms and conditions are placed on the website for the user to review and accept before obtaining the specified goods or services. (85) Typically, users must type or click the words “I Accept,” or something synonymous, in an on-screen box, and then electronically transmit this signal of acceptance to the Web publisher in order to complete the transaction. (86)

Courts have recently held that typing “I Accept” or clicking an “I Accept” icon is a sufficient manifestation of the user’s assent to the contract terms to create an enforceable agreement. (87) Indeed, within the last year, a federal court even recommended using a click-wrap agreement to avoid a venue dispute. (88)

On the other hand, merely providing terms and conditions on a webpage without requiting the user to affirmatively indicate his or her acceptance to such terms will not manifest the assent necessary to constitute a valid agreement. (89) Instead, a wireless vendor or service provider must also ensure that the user is required to affirmatively assent to such terms via a sufficient acceptance mechanism provided to the user before the user can be bound by such terms.

Given the size of display screens on wireless devices and the ensuing difficulty with physically conveying the terms and conditions to the end user, the resulting challenge is to determine what type of acceptance mechanism will be legally sufficient. For example, can a user click on an agreed upon button to indicate acceptance on a mobile phone (e.g., “press the asterisk key if you accept, press the pound key if you decline”) or click on an “I Accept” button on a web-enabled PDA? Would it be sufficient for the end user to type or speak “I Accept” using a device’s keypad or mouthpiece?

With regard to the second issue of manifesting assent through wireless transactions, the question is, how shall a wireless vendor or carrier attribute assent to the sender? One way that assent may be attributable to the sender is through the use of an electronic signature that is traceable to the party to be bound. An electronic signature is defined as any “electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” (90) This broad designation may permit electronic signatures to take the form of any of the following: a name typed at the end of an electronic mail message by the sender

One effort to codify this idea of authenticating a person’s assent is the Uniform Electronic Transaction Act (“UETA”). (92) The UETA provides that “[a]n electronic record or electronic signature is attributable to a person if it was the act of the person.” (93) The “act of the person” may be demonstrated in any way, “including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.” (94) The comments to the UETA suggest that “numerical codes, personal identification numbers, public and private key combinations all serve to establish the party to whom an electronic record should be attributed.” (95) The implications of the UETA raise additional questions of attribution in connection with transactions on wireless devices. For example, would spelling out a person’s name on the keypad of the wireless device be a sufficient form of attribution? Would a password or code on the wireless device be enough? How about using voice recognition and allowing the user to identify him or herself over the wireless device? Would credit card verification, i.e., typing in a credit card number, suffice as valid attribution? (96)

Only time will tell whether or not these suggestions will be considered definitive forms of acceptance via a wireless device. In the meantime, consider these three guidelines when determining what constitutes valid assent given through a wireless device:

* Confirm assent to the terms of a wireless contract by requiring the consumer to select an “I Agree” or “I Decline” button or by requiring that the consumer type in text indicating agreement with the terms

* Require an affirmative action and password or other unique identifier to be used to execute the agreement

* Confirm receipt of an executed agreement with the consumer by displaying a message on the wireless device or e-mailing the consumer a confirmation notice.

Beyond the problems of creating legally durable agreements on the wireless Web comes the problem of complying with record retention laws that might affect how businesses keep records of their wireless transactions. The next, and last, section of this article treats this subject.

B. Retaining Terms and Conditions on Wireless Devices

The challenge of retaining adequate records of wireless transactions involves gaining the confidence of consumers and their advocates concerned about inaccurate and hard-to-get records of wireless transactions. Consumers and businesses will face a final challenge in the wireless marketplace: balancing vendors’ and carriers’ compliance with applicable record retention requirements and consumers’ desire to be treated fairly in obtaining reliable records of wireless transactions. Record retention requirements are not unique to wireless transactions

Both codes provide that an electronic contract that is required under other applicable law to be in writing (97) or retained by the parties, (98) must comply with the codes’ record retention provisions if they are adopted by the applicable state. Once again, however, the limited function of wireless devices makes consumer access and retention of wireless transaction records difficult under either model code. The next two sub-sections discuss each of these codes in depth, and the third and final sub-section of this Article looks at criticisms of the efforts to standardize the record keeping of electronic commerce.

1. E-Sign Record Retention Requirements

An electronic contract or electronic record satisfies the E-Sign record retention requirements if it “accurately reflects the information set forth in the contract or other record.” (99) The contract or record must also remain accessible, “in a form … capable of being accurately reproduced for later reference,” to everyone legally entitled to access the information. (100) As discussed below, the E-Sign record retention requirements are much more robust than their UETA counterparts. (101) Because E-Sign requires virtually tamper-proof records and essentially shifts the burden of risk onto the wireless retailer, (102) consumer advocates generally favor the E-Sign provisions to those of the UETA. (103) A court may deny the legal effect, validity, or enforceability of a contract or record if a wireless retailer fails to comply with these provisions. (104)

2. UETA Record Retention Requirements

Often criticized by consumer advocates as patently unfair to consumers, (105) the UETA’s record retention provisions can be satisfied if the recipient is merely capable of retaining the electronic contracts or records at the time of receipt. (106) The UETA record retention requirements differ from those in the E-Sign in three respects:

* Under the UETA, the sender is not expressly obligated to retain a record in an unmodifiable form after it is originally transmitted

* The UETA does not give the record’s custodian an ongoing obligation to keep the record accessible for later reproduction

* The UETA requires that records be made available only to the recipient at the time of receipt, records are not made available to any party entitled by applicable law to access the information. (109)

Both E-Sign and the UETA create problems for businesses seeking a clear road to compliance, and for consumers seeking accurate and easily accessible records. The next and last section of this article examines those criticisms.

3. Criticism of Record Retention Requirements

The unique challenge to businesses seeking to capitalize on the wireless web will be in gaining the confidence of consumer advocates who are concerned with an increased risk of unfair consumer practices associated with wireless transactions. This will be particularly challenging in states that have adopted the UETA. To meet that challenge, businesses may have to go beyond the current laws on record retention. For several reasons, these laws still fail to construct a reassuring framework for consumers who are concerned about inaccurate or inaccessible wireless transaction records.

For instance, in a “traditional” electronic transaction conducted via personal computer, the recipient could download a file either to his or her hard drive or to a diskette. In most cases, the Internet user could then simply print a hard copy of the terms of the contract or record on his or her local printer. In contrast, wireless devices are not typically connected to printers. Neither E-Sign nor the UETA gives the recipient any right to a free paper copy of the record in the event the recipient is unable to access the information electronically.

Moreover, neither E-Sign nor the UETA prescribes a particular technology or format in which electronic records must be retained or accessed. E-Sign simply requires that before a consumer can consent to an electronic transaction, the consumer must give his or her consent in a format that “reasonably demonstrates” that the consumer actually has the requisite equipment to access the electronic records, (110) Furthermore, under E-Sign the information must be stored in a format that can be accurately accessed by all parties entitled to receive the information. (111)

The UETA has no requirement for “accurate access” or even for access in any particular format. And although the UETA requires the consumer to consent to conducting the transaction electronically, (112) this consent does not have to be given in a form that will confirm the consumer’s ability to access the electronic record at the time of receipt.

Consumer advocates contend that the UETA places consumers at a distinct disadvantage because it lacks an “accurate accessibility” requirement. (113) Those advocates argue that, assuming wireless retailers fully comply with the record retention provisions of the UETA (i.e., they make the record capable of retention by the recipient), a recipient of the wireless information who lacks the equipment necessary to actually retain or access such information will still be forced to rely on the seller’s purportedly accurate copy of the record in the event of a dispute. (114) Even if the wireless retailer resends a copy of the electronic record to the consumer, the consumer still has no assurance that the record provided would be accurate under the UETA. (115) Consumer advocates argue that the consumer’s version could potentially be changed every time the record is accessed because the UETA does not require that the information be retained in an unmodified format.

Businesses seeking to participate in the wireless economy must be aware of their customer’s concerns and should proactively seek ways to overcome them. Businesses may take one of several possible avenues to address these concerns. For example, businesses may consider making paper copies of electronic records available to consumers upon request. Or, businesses engaging in wireless transactions may decide to provide an e-mail version of the electronic record to those consumers who have previously designated an email address and consented to such notification. In any event, a solution may require going beyond the black letter law of the UETA and E-Sign.

IV. CONCLUSION

The legal issues outlined in this Article will be central to the growing commercial, political, and consumer debate on the future of wireless devices. The potential uses and misuses of personally identifiable and location information are of interest and concern to both consumers and businesses. More than any other technology before it, mobile location information offers the potential for intricately monitoring an individual’s movements and habits. To prove successful in the wireless market, businesses must develop wireless applications and business plans that not only comply with current and future legislation relating to privacy and security, but also assuage consumer fears and apprehensions.

As for ensuring the legal validity of business transactions in the wireless realm, businesses must resolve their current dilemmas, specifically, communicating the terms and conditions of wireless transactions to their customers, obtaining customers’ assent to such terms, and authenticating that assent by developing a suitable solution for retention of electronic records. In order to place the validity and enforceability of wireless contracts beyond dispute, businesses will need innovative solutions to address these issues within the limits of current wireless technology.

(1.) Glover T. Ferguson & Thomas H. Pike, Mobile Commerce: Cutting Loose, ACCENTURE OUTLOOK J., 2001 Number 1, at 65. “[T]he emergence of a world of seamless, continuous economic and social interaction” has been characterized as u-commerce. U-commerce is “[u]biquitous–taking place everywhere at all times

(2.) See Nick Wingfield, Amazon.com’s “M-Commerce” Effort Fizzles Along with Wireless Web, WALL ST. J., May 7, 2001, at B1

(3.) Industry experts in one study estimate that by 2003, “40 million [wireless] devices will be used for Internet access in the United States alone.” Mary Helen Gillespie, The Bottom Line on Wireless, BOSTON GLOBE, Mar. 25, 2001, at J15. In another study conducted by Ovum research, researchers predict that by 2005, every American wireless user “will spend an average of $75 per month on m-Commerce transactions that total $20 billion a year.” ACCENTURE INSTITUTE FOR STRATEGIC CHANGE, THE FUTURE OF WIRELESS: DIFFERENT THAN YOU THINK, BOLDER THAN YOU IMAGINE 14 (2001). See also Press Release, IDC, Despite Challenges, mCommerce Will Generate a Tidal Wave of Activity, IDC Says (July 31, 2000) (on file with the authors).

(4.) Industry analysts speculate that “[t]he global market for small wireless Internet-capable devices, including handheld computers, basic microbrowser phones, smartphones, and next generation multimedia phones, [will] grow 630 percent by 2005.” ACCENTURE INSTITUTE FOR STRATEGIC CHANGE, THE FUTURE OF WIRELESS: DIFFERENT THAN YOU THINK, BOLDER THAN YOU IMAGINE 3 (2001). See also Press Release, Strategy Analytics, Wireless Web Device Sales to Hit $73 Billion by 2005: Consumer Desire for Entertainment Based Applications Will Drive Growth (Aug. 16, 2000) (on file with the authors).

(5.) This Article focuses on the legal and regulatory regime governing wireless transactions in the United State–Europe and Canada have more fully developed and stringent privacy and security laws governing wireless transactions. For information on these laws and a general description of the wireless Web in Europe and Canada, consult the following resources: Peter P. Swire & Robert E. Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Interim Report Issued for a Conference of the Brookings Institution, Oct. 21, 1997), available at www. brook. edu/ dybdocroot /press/ books/nonebusi.htm (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal)

(6.) Surprisingly, the U.S., in sharp contrast with Europe and Canada, has no omnibus privacy law. The European Union, for example, has enacted a Privacy Directive. See Elizabeth de Bony, Europe, U.S. Agree on Privacy Policy, PCWORLD.COM, July 28, 2000, at http://www.pcworld.com/news/article/0, aid, 17857,00.asp (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal). Similarly, Canada has its Personal Information Protection and Electronic Documents Act, which provides “a comprehensive regulatory scheme that gives Canada’s existing Privacy Commissioner new powers to oversee all commercial use of personal information regarding Canadians.” Gisler, supra note 5.

(7.) See, e.g., U.S. CONST. amend. IV

(8.) Children’s Online Privacy Protection Act, 15 U.S.C. [subsection] 6501, et seq. (1998)

(9.) Federal Trade Commission, Privacy Online: A Report to Congress, June 1998, available at http:/ /www. ftc. gov/ reports/ privacy3/ index.htm (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(10.) Elisa Batista, Teen Market a Tough Cell, WIRED NEWS (Apr. 26, 2001), at http:// www. wired .com/ news/ wireless/ 0,1382,42897,00.html (noting that U.S. teenagers represent a significant untapped market for national wireless carriers) (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal)

(11.) 15 U.S.C. [subsection] 6501-6506 (1998).

(12). Id.

(13.) 15 U.S.C. [section] 6503 (1998).

(14.) 15 U.S.C. [section] 6501(2)(A) (1999).

(15.) 15 U.S.C. [section] 6501(6) (1999).

(16.) 15 U.S.C. [subsection] 6801-6810 (1999)

(17.) 12 C.F.R. [section] 40.3(k)(1) (2001) (defining a financial institution as any institution that “engage[s] in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. [section] 1843(k)).”).

(18.) The activities listed under Section 4k of the Bank Holding Company Act of 1956 are extremely broad and far-reaching. 12 U.S.C. [section] 1843 (1999). For example, even traditional retail department stores are considered to be financial institutions under the GLBA if they issue charge cards. Id.

(19.) 15 U.S.C. [section] 6803(a) (1999).

(20.) Id. [section] 6802(a).

(21.) Id. [section] 6802(b).

(22.) FTC, Privacy Online: A Report to Congress, supra note 9.

(23.) Id.

(24.) FTC, Self-Regulation and Privacy Online: A Report to Congress, July 1999, at 7, available at http:// www. ftc. gov/ os/ 1999 /9907/privacy99.pdf (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal)

(25.) FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace

(26.) FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, supra note 24, at 36.

(27.) FTC, Privacy Online: A Report to Congress, supra note 9, at 9.

(28.) Id.

(29.) Id. at 10.

(30.) Id.

(31.) Press Release, Wireless Advertising Association Privacy Committee, WAA General Assembly, WAA Guidelines on Privacy and Spam (Nov. 7, 2000), available at www. mmaglobal. com/ press/ pressdetail.php?press_id=privacy_press (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal). The WAA defines personally identifiable information as data that can be used “to identify a person uniquely and reliably, including but not limited to name, address, telephone number, and e-mail address.” Id.

(32.) Id. Unlike “pull” applications, which send information to consumers only upon their request, “push” applications send content to end users of wireless devices without their request for such information. Push messaging can include “audio, short message service (SMS) messages, e-mail, multimedia messaging, cell broadcast, picture messages, surveys or any other pushed advertising or content.” Id.

(33.) Id.

(34.) Id. “Non-Personally Identifiable Information” is defined as anonymous information typically derived from a user’s click stream data across Web sites. Such information typically does not include a webuser’s identity, and thus its use allows targeted marketing efforts to the webuser while the Web-user continues to move online anonymously. Id.

(35.) Id.

(36.) Id.

(37.) See Mike Musgrove, Shopping Online May Go Mobile

(38.) “Implementing mCommerce,” a Conference of Accenture Solutions Engineering Professionals, Chicago, May 18, 2001 (on file with the authors).

(39.) For purposes of this Article, the term “carriers” refers to the providers of telecommunication and wireless services to the general public. The term “vendors” refers to businesses that seek to sell products and services, other than telecommunication or wireless services, to end users of wireless devices.

(40.) Allanna Sullivan, Someone to Watch Over You: Do you really want your cell phone to tell the worm where you are all the time?, WALL ST. J., Dec. 11, 2000, at R8.

(41.) According to a survey conducted by the Strategis Group, the wireless services consumers are most interested in are emergency roadside assistance services, contact with emergency response centers, travel directions, and telephone directory assistance. Survey: Consumers More Interested in Location-Based Services, WIRELESS TODAY (Mar. 23, 2000), available at www.telecomweb.com/reports/cotm/lcommerce7.htm (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(42.) Location Based Wireless Shopping Comes to NYC and SF: GeePS.com, Inc. technology lets wireless device users view local merchant announcements and special deals, MOBILE AND WIRELESS BUSINESS ADVISOR (Apr. 4, 2000), at http://advisor.com/Articles.nsf/aid/OLSEE083 (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal). This application was initially beta tested by GeePS.com, Inc. as a “pull” technology, which allows consumers to receive information about vendors by request. Id.

(43.) Hamilton, supra note (37

(44.) See Marc Le Maitre, Privacy on the Wireless Internet, at http://www.w3.org/P3P/mobile-privacy-ws/papers/nextel.html (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal)

45. Wireless Communications and Public Safety Act, Pub. L. No. 106-81, 113 Stat. 1286 (1999).

(46.) Id. The WCPSA creates the presumption that location information is proprietary, stating “without the express prior authorization of the customer, a customer shall not be considered to have approved the use or disclosure of or access to… call location information,” except (i) to provide such information to a public safety answering point, (ii) to inform a legal guardian of the customer’s location in an emergency situation that involves the risk of death or serious physical harm, or (iii) to assist in the delivery of emergency services in response to an emergency. Id. at Pub. L. No. 106-81, 113 Stat. 1286(5).

(47.) For example, for handset based Automatic Location Identification (“ALI”) technology, carriers were to begin selling ALI-capable handsets by October 1, 2001, and to hit progressively higher penetration levels until they achieved 95 percent penetration by the end of 2005. Federal Communications Commission, In the Matter of Revision of the Commission’s Rules To Ensure Compatiblity with Enhanced 911 Emergency Calling Systems, THIRD REPORT AND ORDER (September 15, 1999), available at http://www.nena.org/govtaffairs/Leg/FCCThirdReportAndOrder.pdf (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal). In a June 14, 2001, report submitted to a telecommunications subcommittee of the House of Representatives, the Chief of the FCC’s Wireless Telecommunications Bureau stated that although Phase II of the mandate will take several years to be deployed, its implementation will generally enable the reporting of the location of 911 calls within 100 meters or better. Wireless Enhanced 911: Hearing Before the Subcomm. on Telecomm. and the Internet of the House Comm. on Energy and Commerce, 107th Cong. (June 14, 2001) (statement of Thomas J. Sugrue, Chief, Wireless Telecomm. Bureau, Fed. Communications Comm’n), available at http://www.fcc.gov/Speeches/misc/statements/sugrue061401.pdf (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(48.) 47 U.S.C. [section] 151, et seq.(1991 & Supp. 1999).

(49.) Pursuant to the Telecommunications Act, “customer proprietary network information” is defined as:

(A) information that relates to the quantity, technical
configuration, type, destination, location, and amount of use of
a telecommunications service subscribed to by any customer
of a telecommunications carrier, and that is made available to
the carrier by the customer solely by virtue of the carrier-customer
relationship
bills pertaining to telephone exchange service or telephone toll
service received by a customer of a carrier
term does not include subscriber list information. 47 U.S.C.

[section] 222(h)(1) (2000).

(50.) Id. [section] 222 (c)(1).

(51.) 47 C.F.R. [section] 20.18(a)-(b) (2000). Under the WCPSA, service providers are subject to the FCC mandate only to the extent “they offer real-time, two-way switched voice service that is interconnected with the public switched network and utilize an in-network switching facility.” Id. [section] 20.18(a).

(52.) The Telephone Consumer Protection Act, 47 U.S.C. [subsection] 227 et seq.(1991).

(53.) Id. [section] 227(b)(1)(A)-(A)(iii).

(54.) 47 C.F.R. [section] 64.1200 (f)(1) (2002).

(55.) 47 U.S.C [section] 227(d)(3) (1991).

(56.) Id. [section] 227 (b)(3)(A)-(B).

(57.) Id. [section] 227 (b)(3)(C)

(58.) 15 U.S.C. [subsection] 6101, et seq. (1998).

(59.) Id. [section] 6102(a)(3)(A).

(60.) Id. [section] 6106(4).

(61.) Id. [section] 6104(a)

(62.) See, e.g., Patrick Ross, Bill aims to block wireless junk email, CNET.COM TECH NEWS (Jan. 10, 2001), at http://news.com.com/2100-1033-250796.html (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(63.) H.R. 113, 107th Cong. (2001)

(64.) H.R. 260, 107th Cong. (2001)

(65.) S. 1164, 107th Cong. (2001). See also Legislation introduced to require notice, consent for wireless location-based services, 6-28 ELEC. COM. & L. REP. 724 (Jul. 18, 2001).

(66.) See supra note 65.

(67.) S. 536, 107th Cong. (2001). See also, Baker & McKenzie, U.S. Federal Legislation and Regulations, CONGRESS: E-COMMERCE LEGISLATION AND REGULATIONS, at http://www.bmck.com/ecommerce/congress.htm (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(68.) See Rebecca Boswell, Location-Based Technology Pushes the Edge, TELECOMMUNICATIONS ONLINE (June 2000) (on file with authors).

(69.) Stefanie Olsen, Big Brother knocked in 2000, CNET NEWS.COM, Dec. 28, 2000, at http://news.com.corn/2100-1017-250378.html?legacy=cnet (last visited Jan. 15, 2002) (on file with the Rutgers Computer & Technology Law Journal)

(70.) Lee Gomes, Silicon Valley’s Open Secrets – Wireless Computer Networks, Often Unguarded, Can be Eavesdroppers’ Gold Mine, WALL ST. J., Apr. 27, 2001, at B1.

(71.) See Alan Vanderploeg, Wireless Communications Security, MOBILE WORLD, at http:// www. mobileworld. org/ info_security.html.(last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(72.) The Second Restatement requires a contract to have “a bargain in which there is a manifestation of mutual assent to the exchange and a consideration.” RESTATEMENT (SECOND) OF CONTRACTS [section] 17 (1981).

(73.) Generally, the conveyance of specific terms and conditions by the business is considered to be the offer under basic contract formation law. The consumer’s ensuing assent is usually deemed the acceptance of the offer or contract. Id.

(74.) Dawn Davidson, Click and Commit: What Terms are Users Bound to When They Enter Web Sites?, 26 WM. MITCHELL L. REV. 1171, 1175-76 (2000).

(75.) Each state has codified its own version of Article 2 of the UCC, which applies to the sale of goods. See, e.g., U.C.C. [section] 2-316 (1999) (requiring that in order for warranties to be excluded in writing, the writing must be conspicuous). For example, disclaimers of implied warranties of merchantability and fitness for a particular purpose must be conspicuous in order to be effective.

(76.) Id. [section] 1-201 (10).

(77.) Id.

(78.) See supra additional commentary discussed in section II.A.1.e.

(79.) Unfortunately, depending on the specific circumstance, these options may not be feasible. For example, handheld devices are more restrictive than their personal computer counterparts in their graphic and navigational capability and their menu selection. Consumers may face difficulties in opening hyperlinks or reading the terms and conditions contained on a device with a screen not much bigger than a business card. Further, consumers may not even have access to a personal computer. See, e.g., Marketplace Trends in mCommerce, accenture.com (asserting that with the emergence of mobile commerce, it is significant to consider that there are more than twice as many mobile phone users than there are personal computer users worldwide) (on file with the authors).

(80.) Specht v. Netscape Communications Corp., 150 F. Supp. 2d 585, 591 (S.D.N.Y. 2001).

(81.) RESTATEMENT (SECOND) OF CONTRACTS [section] 17(1) (1981).

(82.) Netscape, 150 F. Supp. 2d at 587

(83.) Under the Uniform Computer Information Transactions Act (“UCITA”), an end user must satisfy three conditions in order to manifest assent: (1) the party must have knowledge of the terms or an opportunity to review them before assenting

(84.) Shrink-wrap agreements, the pre-cursor to click-wrap agreements, are the terms and conditions that govern the use of software. Shrink-wrap agreements are usually either printed on the outside of the software box or attached to the box, wrapped in plastic. Mark Grossman, Allison Hift, & Raquel Rothman, Click-Wrap Agreements–Enforceable Contracts or Wasted Words?, at http://www.becker-poliakoff.com/publications/article_archive/click_wrap.htm (last visited Jan. 15, 2002) (on file with the Rutgers Computer & Technology Law Journal).

(85.) Id.

(86.) Id.

(87.) Caspi v. Microsoft Network, L.L.C., 732 A.2d 528, 532 (N.J. Super. Ct. App. Div. 1999). Here, the court refused to hold an existing forum selection clause invalid because doing so would invalidate the entire online agreement. In this case, the plaintiffs, before subscribing to Microsoft’s online service had the option to click on “I agree” or “I don’t agree,” depending on whether or not they agreed to the terms of the agreement. Id. at 530. The court stated that: “Plaintiffs must be taken to have known that they were entering into a contract

(88.) American Eyewear, Inc. v. Peeper’s Sunglasses & Accessories, Inc., 106 F. Supp. 2d 895,904 (N.D. Tex. 2000). Here, the court said that defendant “could arguably have avoided subjecting itself to personal jurisdiction in Texas by taking such steps as … incorporating into its web site purchase order form a `click-wrap agreement’ that contained a choice of venue clause….” Id. at 904.

(89.) Ticketmaster Corp. v. Tickets.com, Inc., 2000 U.S. Dist. Lexis 4553, at 8 (C.D. Cal. Mar. 27, 2000), aff’d, 248 F.3d 1173 (9th Cir. 2001). Here, the court found a web-wrap site agreement unenforceable because (1) the user of the site was not required to view the terms and conditions in order to advance to the other pages of the site

(90.) Electronic Signatures in Global and National Commerce Act, Pub. L. No. 106-229, [section] 106(5), 114 Stat. 464, 472 (2000). The Electronic Signatures in Global and National Commerce Act (E-Sign law), which was signed by President Clinton on June 30, 2000, was intended to remove barriers to e-commerce by validating electronic records and signatures. See Leonard A. Bernstein & Gary L. Kaplan, The Electronic Signatures Act: Giving a Boost to E-commerce, 21 ABA BANK COMPLIANCE 9, at 21 (Sept./Oct. 2000).

(91.) See Thomas J. Smedinghoff & Ruth Hill Bro, Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce, 17 J. MARSHALL J. COMPUTER & INFO. L., 723, 730 (1999).

(92.) Uniform Electronic Transactions Act (“UETA”) is the state counterpart to the E-Sign Law. UNIF. ELEC. TRANSACTIONS ACT (Nat’l Conference of Comm’rs on Unif. State Laws 1999). Approximately thirty states have enacted a version of the UETA. McBride, Baker & Coles, E-Commerce Spotlight: Recent Updates and Legislative Tables, at http: www. mbc. com/ ecommerce/ legislative.asp (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal). Some states have adopted the version proposed by the Commissioners, while others have added and deleted certain provisions. The following states have enacted some version of the UETA: Alabama, Arizona, Arkansas, California, Delaware, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Montana, Nebraska, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Virginia, and West Virginia. Id.

(93.) UETA [section] 9(a) (1999).

(94.) Id.

(95.) Id. [section] 9, cmt. 4.

(96.) The comments to the UETA indicate that the act of typing one’s name as part of an electronic mail purchase order may suffice to authenticate the electronic signature as belonging to the sender. Id. [section] 9, cmt. 1 (a). However, the UETA does not specify other means of authentication. Id.

(97.) Applicable federal and state law (i.e., Statute of Frauds or consumer protection law) will determine which contracts must be in writing in order to be enforceable. Of all the classes of contracts described in the Restatement (Second) of Contracts and the U.C.C. Statute of Frauds provisions, the authors believe that contracts for the sale of goods for $500 or more are most likely to be conducted via the wireless web and subject to the record retention requirements described here.

(98.) Neither the UETA nor E-Sign specifies who is entitled to retain a record, leaving the matter for state law instead. Robert A. Wittie & Jane K. Winn, Electronic Records and Signatures Under the Federal E-Sign Legislation and the UETA, 56 BUS. LAW. 293 (2000). The authors further note, “[b]ecause the common law and the Statute of Frauds generally do not entitle anyone to retain a copy of a contract, the practical impact of [E-Sign] section 101(e) is likely to be limited to records that consumer protection or similar laws specifically require to be provided to a party in a form that they may retain.” Id. at 10-11.

(99.) Electronic Signatures in Global and National Commerce Act, S. 761, 106th Cong. [section] 101 (d)(1)(A) (2000).

(100.) Id. [section] 101 (d)(1)(B).

(101.) Id.

(102.) Although E-Sign does not expressly shift the burden of risk to the wireless retailer, it has that practical result. The writing requirements in the Statute of Frauds and consumer protection laws exist for the purpose of protection of the party against whom enforcement of the contract is sought. In virtually every wireless commerce transaction, the wireless retailer will communicate nonnegotiable contract terms to the consumer, who will then be required to manifest his/her assent in order to complete the desired transaction. If the seller wants to enforce the terms of the contract against the consumer where a writing is required, the seller must comply with the provisions of E-Sign [subsection] 101 (d)(1)(A)-(B) (2000).

(103.) Gall Hillebrand & Margot Saunders, E-Sign and UETA: What Should States Do Now? NAT’L CONSUMER LAW CENTER, available at http://www.consumersunion.org/finance/e_sign.htm (last visited Jan. 15, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(104.) Electronic Signatures in Global and National Commerce Act, S. 761, 106th Cong. [section] 101(e).

(105.) Hillebrand, supra note 103 (comparing the UETA record retention requirements against the more stringent E-Sign provisions).

(106.) UETA [section] 8(a) (1999). A record is not capable of retention by the recipient if the sender or its information processing systems inhibits the ability of the recipient to print or store the electronic record. Id.

(107.) Id.

(108.) UETA [section] 8(a) (1999)

(109.) UETA [section] (1999)

(110.) Electronic Signatures in Global and National Commerce Act, S. 761, 106th Cong. [section] 101(c)(1)(C)(ii) (2000).

(111.) Id.

(112.) UETA [section] 5(b) (1999).

(113.) Hillebrand, supra note 103.

(114.) Id.

(115.) Id.

Allison S. Brantley *, Shanin T. Farmer **, Bacardi L. Jackson ***, Jana Krupoff ****, Steven S. List ***** and Ellen G. Ray ******

* Allie Brantley, as an associate with King & Spalding LLP’s Technology Practice Group, focused on drafting, negotiating, and evaluating a wide range of commercial and technology transactions, ranging from e-commerce and Internet-related agreements to software and trademark licensing agreements. In 1993, Ms. Brantley graduated cum laude from the University of Georgia. She attended Mercer University’s Walter F. George School of Law, graduating cum laude in 1997.

** Shanin Farmer is an attorney for Accenture and focuses primarily on IT consulting and outsourcing transactions in Accenture’s Communications & High Tech and Financial Services operating units. Ms. Farmer received her Juris Doctor from the John Marshall Law School and was a member of the John Marshall Law Review. Ms. Farmer has a Bachelor of Science in Marketing from the University of Illinois at Chicago.

*** Bacardi Jackson is an associate at King & Spalding LLP. Prior to joining the Labor and Employment team, her practice focused on representation of early-stage technology companies, software licensing and other intellectual property transactions, venture capital and merger and acquisition transactions. Ms. Jackson graduated from Stanford University and received her Juris Doctor from Yale Law School. Before joining King & Spalding LLP, Ms. Jackson served as a law clerk to the Honorable Janet C. Hall in the United States District Court of Connecticut.

**** Jana Krupoff is an attorney for Accenture in Chicago, Illinois. At Accenture, Ms. Krupoff works as counsel for the Financial Services operating group and is responsible for Accenture’s contractual arrangements with banks, insurance companies, and capital markets in the east and west. Ms. Krupoff earned her Juris Doctor from Chicago-Kent College of Law in 2000. In 1997, Ms. Krupoff graduated from Indiana University with a Bachelor of Science degree in marketing and international business.

***** Steven List is the Legal Lead for Accenture’s Global Government Practice and is responsible for Accenture’s contractual arrangements with federal, state and local governments throughout the world. Mr. List earned his Juris Doctor from DePaul University College of Law in 1986 and is licensed to practice before the Illinois Supreme Court and the United States District Court for the Northern District of Illinois. In 1983, Mr. List graduated from the University of Wisconsin-Madison with a Bachelor of Arts degree in Psychology.

****** Ellen Ray is Counsel with King & Spalding LLP in Atlanta, Georgia. Her practice is primarily focused on information technology and business process outsourcing, and technology licensing transactions