Selling Out of State and Internationally

Which laws and regulations govern how you may operate an ecommerce business?

If you sell to consumers located in another state or another country, your ecommerce business will be subject to the laws and regulations of those other jurisdictions. Your customers may able to sue your business in a court in a distant state or nation and, as a result, force a change in your business practices, or even shut down your business there, based on regulations or rules of law far away from where your business is located. If your ecommerce business is based in the United States, you need to understand the US Federal laws that apply to your business, the state laws and regulations that may govern, and the laws and regulations of other jurisdictions that may apply to your business when you sell to consumers outside of your home state.

U.S. Federal laws governing ecommerce businesses
U.S. federal law is applicable to businesses located or doing business in the U.S., and is equally applicable to web-based enterprises. In addition, U.S.-based ecommerce businesses and non-U.S. businesses selling to U.S. customers need to keep an eye on compliance with U.S. federal laws and regulations that deal specifically with issues unique to web-based business. Some examples are: the CAN-SPAM Act, requiring labeling unsolicited emails and prohibiting deceptive subject lines and false headers, the Children's On-Line Privacy Protection Act, which applies to websites that are directed to children under age 13 and requires certain privacy notices, parental consents, and other precautions (see, the Gramm-Leach-Bliley Act, dealing with web-based financial services (see, and E-sign, concerning electronic signatures.

State laws
The laws of the state in which you are operating will be applicable to your ecommerce business, just as they are applicable to brick-and-mortar businesses operating in your state. Your business will also be subject to laws and regulations of states in which your customers reside. Individual states may have adopted their own regulations specifically addressing SPAM, electronic financial services, or the collection of data from website users.

In California, for example, an anti-SPAM law became effective in 2004 and may impose additional restrictions and limitations on unsolicited email from California businesses. Likewise, in 2004, California adopted a privacy law that requires all commercial websites or online services that collects personal information on California residents through a website, to conspicuously post a privacy policy on the site and to comply with such privacy policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. The failure to post a policy within 30 days of being notified of noncompliance, or knowingly and willfully or negligently and materially failing to comply with the provisions of the posted policy, violates the California statute. WAISdocID=0382511002+0+0+0&WAISaction=retrieve

See also the discussion of privacy policies on the web site of the Office of Privacy Protection of the California Department of Consumer Affairs.

Laws of other jurisdictions
Jurisdictions outside the United States have implemented regulations specifically governing how an ecommerce business may operate.

European Union
The European Union adopted privacy directives in late 2002 which govern the dissemination of unsolicited emails by businesses and individuals in Europe and the transfer of personally identifiable customer data pertaining to Europeans. Certain European countries have similar laws which apply locally.

Canadian federal and provincial law addresses the collection, use and disclosure of personal information by organizations in the course of commercial activities. Personal information is defined as identifiable information about an individual, except for business contact information and publicly available information (business-email addresses are treated as personal information). These laws require that personal information be collected, used and disclosed with consent, and they will impact any organization doing business in Canada. Canada’s Personal Information Protection and Electronic Documents Act known as PIPEDA and the substantially similar provincial laws require organizations to appoint a privacy officer, post a privacy policy which identifies the purposes for which personal information is collected, used and disclosed, implement a consent process for personal information and establish an access and compliance mechanism. Organizations must implement safeguards to protect personal information from unauthorized use and disclosure and make sure that all service providers agree to similar protections for personal information processed on behalf of the organization.

Consent is often built into the privacy policy and is typically obtained at the time personal information is collected. Consent can be opt-out in nature where personal information is being collected and used for the purposes required in order to provide a product or service. In addition, consent can usually be opt-out for purposes of secondary marketing of related products and services. Organizations should be sure to have in place an easy to implement opt-out process where individuals can quickly have their names removed from any marketing databases. Where personal information is being used for other purposes or where sensitive personal information will be disclosed to third parties, consent should be opt-in (express).

When will you be subject to the specific laws and regulations of another jurisdiction?

Determining which laws govern the operation of your business is a function of many factors, including where you are operating your web-based business, into which jurisdictions you may be shipping products, the nature of the target audience for your ecommerce site, and the ways in which you market and promote your web-based business.

The notion that a business located in one state may be subject to the decisions of courts in another state is not new and applies outside the ecommerce context, as well. Courts throughout the United States follow the general rule that, if a business “purposefully avails itself” of the benefits of doing business in another state, such as by actively soliciting and marketing to customers in that state and entering into agreements for the sale of goods or services delivered in that state, then the business can be sued in that state over claims relating to the transactions it sought or concluded there.

Lack of a physical presence within a state does not prevent you from being sued there. The jurisdiction of any state over a business based elsewhere arises under the state’s “long-arm” jurisdiction statute (so-dubbed because the state is considered to be reaching far and wide with the “long arm of the law”). How aggressively a state may apply its “long-arm” statute to non-resident businesses and individuals stems from a long line of famous U.S. Supreme Court cases. With the proliferation of web-based ecommerce, states have tried to assert their jurisdiction over businesses with much less obvious connections to their state than some of the defendants in the jurisdiction cases of yore.

Whether a court can assert jurisdiction over an out-of-state defendant based on Internet-related contacts with the state depends on the nature and quality of commercial activity that [the defendant] conducts over the Internet. U.S. courts have tried to draw distinctions between passive web sites – those which don’t actively seek or conduct business with consumers within a state – and active web sites – which involve commercial transactions between a business and a consumer within a state.

Maintaining a "passive" web site for advertising purposes isn’t enough to create jurisdiction within a state. It isn’t necessarily enough, even if a site has some interactive features. That an interactive web site may create the potential for a business transaction with consumers inside a particular state may not even be sufficient. There needs to be something more: some level of business must actually have been transacted. Where a business uses a web site to sell goods and services to a consumer in a particular state, and it is designed to allow consumers in multiple places to purchase products or services through the site, it may be more likely to be considered an “active” web site, and jurisdiction within that particular state will lie.

Can’t I choose my own law and my own courts?

Many websites’ terms and conditions include a "choice of law" clause, i.e., a provision specifying that the law of a particular jurisdiction will apply to the enforcement of or to disputes relating to the terms and conditions. A typical provision might provide:

While such provisions are common in website terms and conditions, it is not certain that they will be upheld in all contexts. Choice of law and venue clauses that are within terms and conditions that require a user to affirmatively indicate consent may be more readily enforceable than those which are in terms and conditions that are simply posted on the site. Even where express assent is obtained, however, such clauses may be void against public policy. [Find a U.S. example, such as Paypal] A French judicial opinion refused to enforce a provision contained in an internet service providers contract choosing [U.S.] law, on the grounds that it would have circumvented mandatory local laws protective of consumers.

Complying with applicable laws versus staying local
Does your ecommerce business need to comply with the laws of any jurisdiction where it has a customer? In theory, yes. Yet, because of the practical burdens assessing and complying with every conceivable local requirement, an ecommerce business may pay close attention primarily to the laws of jurisdictions in which it specifically targets consumers. Jurisdictions for which it has a specially-tailored version of its website, where it has conducted local advertising and promotional campaigns, and where it makes the most sales are the ones of greatest concern.

If you determine not to incur any risk of being sued in another jurisdiction, then you may wish to avoid conducting business outside your local area. There is no definitive test to determine whether a business not has established a sufficient presence in a jurisdiction for it to be sued there, but the following basic principles offer some guidance: (i) limit the interactive features of your website to avoid collecting information from residents of a jurisdiction in which you would prefer not to be sued; (ii) don’t allow more than isolated sales to residents of a particular jurisdiction, as the greater the volume of sales within a particular jurisdiction, compared with the overall sales of the ecommerce business, the greater the chance the seller will be subject to being sued in that jurisdiction, (iii) don’t promote your site to residents of a particular jurisdiction by means of advertising in local publications or on websites that are regional in focus, and (iv) don't create a foreign-language version of your site or utilize a country-specific TLD, such as ".ca" (for Canada), unless you are willing to subject yourself to jurisdiction in that country.