1) Contracts and Transactions in E-Commerce

          The digital age has created numerous new commercial opportunities. Common business transactions can be accomplished with the click of a button, and agreements can be made and carried out entirely online. However, the technological changes that have revolutionized modern commerce also raise novel legal issues, particularly pertaining to the form and enforceability of contracts made and carried out electronically.

 Websites face potential legal liability and other adverse consequences for several common activities in digital commerce. In this first module, we begin with a discussion of contracts of adhesion and their use in web and software-based agreements. Next, the discussion turns to best practices and policy guidelines that regulators have developed for electronic transactions and the model laws created for e-commerce agreements. The analysis then concludes with a discussion of how the law has developed to address contracts made in electronic form, including the validity of digital signatures and electronic records.

Contracts of Adhesion in Digital Commerce

          The internet age has given rise to entirely new forms of contracts, as well as new ways that e-commerce companies and their customers trigger contractual liability. Online companies often manage this liability by publishing documents explaining the terms of the website. It is now a standard practice in e-commerce to require customers to abide by published “terms and conditions of use” or “terms of service” to conduct transactions on a site or sometimes even to browse it. These documents are used to explain what a website may and may not be used for, and customers are permitted to view and use the website upon the condition that they follow the published terms of service.  Websites also commonly publish notices and disclosure documents required by consumer protection regulations.

    This express disclaiming and limiting liability is an important way that e-commerce sites manage risk. However, whether they always stand up to a legal challenge is a different matter. Many of these contracts qualify as “contracts of adhesion,” meaning that the offeree (in this case, the website user) must either agree to or refuse all the offered terms.  These contracts typically offer no bargaining power to the consumer, and as a result, courts tend to view them with increased judicial scrutiny. 

The software industry has shifted the notion of assent in contractual agreements from traditional oral or written formats to more abstract means. In fact, the tech industry gave rise to an entire category of contracts that originated with what is now known as “shrinkwrap” agreements.  Shrinkwrap agreements are made when the offeror – a software company, most often – lists terms of use and other requirements on its packaging, and the offeree manifests his or her assent by opening the plastic wrapping around the package.  These agreements have evolved into several forms, each of which requires a customer to manifest assent by engaging in some intentional conduct.  For example, some websites require visitors to accept their terms and disclosures by clicking “I agree” or a similar prompt that appears on web browsers’ screens. These agreements, deemed “clickwrap contracts,” require website users to consent to the website’s terms by action – the click of a button.  “Scrollwrap agreements” also require web browsers to accept terms and conditions before using a site. However, rather than clicking a button, scrollwrap requires consumers to scroll through the contract before it is deemed accepted.  

    So long as clickwrap agreements provide consumers with sufficient detail of the site’s terms and conditions, acceptance by click is considered valid, and these agreements are typically enforceable.   Likewise, scrollwrap contracts also create legally-binding agreements so long as they are structured in a manner that requires clearly demonstrated assent by action.  Although they qualify as contracts of adhesion, they meet the standards of notice and voluntary acceptance necessary to create binding agreements. 

    Some websites require consumers to agree to terms and conditions simply by accessing the content. Because they do not require the same degree of volitional acceptance as clickwrap and scrollwrap agreements, these so-called “browsewrap agreements” are often invalidated by reviewing courts.  Generally, the standard for enforceability of clickwrap, scrollwrap, and similar agreements is whether the customer had a reasonable opportunity to review the offer and manifest assent by some demonstrable means.  Browsewrap contracts will only hold up if a website user has actual or constructive knowledge of the site’s terms and there is evidence of assent.  If these fundamental elements of notice and volitional acceptance are not shown by the facts, the websites’ terms of use and other representations are unenforceable. 

Best Practices and Policy Guidelines for Electronic Transactions

            The field of e-commerce law is relatively new.[15] However, over time, courts and regulatory agencies have developed recommended best practices and guidelines for e-commerce sites to ensure fair dealing in digital transactions. By following these guidelines, websites can help ensure that both their stakeholders and their customers are properly protected during their electronic dealings.

Even though the Federal Trade Commission rules on mandatory disclosures were first developed to apply to brick-and-mortar establishments, they apply to domestic transactions accomplished electronically as well. In 2000, following a public comment and rule making procedure, the FTC issued its “Dot Com Disclosures” guidance document. This policy statement clarified that the FTC’s rules and regulations promulgated under the Federal Trade Commission Act apply to virtual activities just as they do in the “real world.”[16] 

The FTC requires all legal disclosures made electronically to be clear and conspicuous. This means that online representations must be near the website’s product or service, appear for a sufficient duration or be unavoidable to web viewers, and be presented in a form that the average web consumer would be able to understand.[17]For example, if the terms of use are hyperlinked rather than spelled out on the screen, the link should be clearly visible and properly labeled. Likewise, if web browsers access web content via mobile devices, the disclosures must be presented in a manner that is clear on small screens.[18] The agency places the responsibility on the website owner to ensure that consumers receive proper notice of mandatory disclosures, so e-commerce sites should regularly review consumer behavior to make sure their legal rights are properly protected.[19]

It is the website owner’s responsibility to understand which industry-specific agency rules apply to the online business.[20] It is also the website owner’s responsibility to ensure that the customers are properly informed, so disclosures must be clear. If necessary, information should be repeated to ensure online consumers receive proper notice, and any website offering online purchasing options is responsible for making sure that customers are fully aware of their rights and obligations before they buy.[21]The FTC does not distinguish between representations, warrantees, or advertisements made online or in print, so e-commerce companies must be able to demonstrate that all online claims are truthful, fair, and capable of being substantiated by objective evidence.[22]

Models for e-Commerce Agreements

            To be legally enforceable, electronic agreements must comply with the standards established by legal precedent in the common law and the Uniform Commercial Code. Because digital transactions don’t always fit squarely in the traditional structure under which these rules developed, the National Conference of Commissions on Uniform State Laws has developed a model law designed to integrate digital transactions into the framework established by the UCC.[23] The model law, dubbed theUniform Computer Information Transactions Act, attempts to harmonize contracts common in cyberspace, such as hyperlinked agreements, affiliate agreements, licenses, mandatory disclosures, terms of use, and online shopping and bidding agreements, into the existing legal infrastructure governing contract law.[24]

            This uniform act was originally drafted in the late-1990s, and it aimed to create a uniform set of standards for information technology transactions that don’t fit squarely within the UCC’s rule regarding the sale of goods. Despite its potential usefulness, however, it was never widely adopted. Critics complained that it was too dense and confusing to be practical and that its limited scope and many loopholes made it possible for software companies to carry out questionable business practices.[25] In response to these concerns, the American Law Institute drafted its own model law, the Principles of the Law of Software Contracts.[26]

            The Principles address four common legal issues in electronic contracting:

–       The identification and nature of digital transactions,

–       Contract formation and industry best practices,

–       The application of federal intellectual property law and electronic contracting, and

–       Specific issues of e-commerce law pertaining to warranties, remedies, and transfer.[27]

Rather than following the codified structure of the UCC and original model statute, the Principles are designed like a Restatement, which is a series of rules written by experts as to what the law is in an area, rather than as a model code.[28] They are meant to provide guidance to courts and lawmakers addressing issues common in electronic transactions, and they have proven to be a useful tool in the review of contracts in e-commerce.

For example, the Principles offer a test for determining whether an e-commerce business is dealing primarily in goods under Article 2 of the UCC or in software contracts that are more properly addressed by federal intellectual property laws. Known as the “predominant purpose test,” it looks at whether the predominant factor, thrust, and purpose of the contract, reasonably stated, is the rendition of a service, with goods only incidentally involved, or is a transaction of sale, with labor incidentally involved.[29]

            In addition to providing an authoritative source on the proper nature and scope of electronic contracts, the Principles address the procedures for the formation of these agreements. The formation rules for electronic agreements and software licenses are broad, allowing for the creation of enforceable agreements by any methods the parties choose.[30] The Principles also allow for so-called “rolling contacts” in which customers agree to different terms at different times.[31]

For example, Hill v. Gateway 2000 involved a customer who purchased a computer over the phone. When the computer arrived, the box included Terms of Service that included a 30-day satisfaction warranty. The plaintiff became unsatisfied after the warranty period had elapsed and sued for the return of his money, arguing that the 30-day warranty should be an unenforceable supplemental term that was added after the contract for sale was formed over the phone. The court disagreed, finding that the parties had a rolling contract to which the customer assented, first over the phone and then again – to the supplemental terms – when he opened the box and kept the product beyond the thirty day period.[32]

Filling Gaps and Interpreting Electronic Agreements

            Like the UCC, the Principles offer helpful “gap-fillers” and “battle of the forms” provisions.[33] They apply the standards for physical records found in UCC § 2-207 (applicable when terms of the acceptance vary from those of the offer) to electronic records, but provide special rules for cases where software or other protected electronic property is transferred to a third party.[34] These clarifications are particularly significant in electronic contracts, as in the past, third-party transferees have argued that they cannot be bound to the terms of service agreed to by the original purchaser.[35]

             Regarding interpretation of electronic agreements, the Principles provide an objective interpretation rule that instructs courts to begin with the language of the agreement. If the agreement does not address the issue under dispute, courts should then consider the parties’ actions during their performance under this contract and/or their prior course of dealing. If the agreement of the parties is still not clear, a court may look to applicable trade practices in the industry.[36] If the parties to a digital contract disagree over the meaning behind specific words or conduct or the agreement is ambiguous regarding a fundamental term, courts can consider evidence of the parties’ subjective knowledge and intent at the time the agreement was made.[37]

            Finally, the Principles clarify the standards of performance for software contracts, including what qualifies as a breach of the agreement and the remedies available in the event of breach. It defines breach as a party failing to perform as promised without legal excuse.[38] This definition is consistent with UCC Article 2 and the common law, but it also includes key clarifications regarding agency and warranty issues that commonly arise in digital transactions.[39] In determining whether a breach is material, thus warranting cancellation of the contract, the Principles outline six factors in determining materiality. Examples include a supplier’s failure to disclose a material defect and the contracts’ failure to perform its essential purpose.[40] Additionally, the rule stipulates that providers of software that provides electronic services cannot program the software to disable itself automatically unless the customer has actual or effective notice of this possibility.[41]

Digital Signatures and Electronic Records 

Modern technology has altered the landscape of traditional contract law, and state and federal lawmakers have responded in turn. Nearly every state has enacted the Uniform Electronic Transactions Act, which sets forth the requirements for validating digital records and signatures on electronic agreements.[42] The Act was drafted in 1999 to remove unnecessary legal barriers to the growing field of e-commerce. It establishes the forms and types of electronic records and signatures that are considered equivalent to signed paper agreements.[43]

The Electronic Signatures in Global and National Commerce Act (often referred to as “E-Sign”) is the federal counterpart to the Uniform Electronic Transactions Act.[44] This federal law officially legitimizes electronic records and e-signatures and prohibits courts from denying enforcement of a contract solely because the parties executed it electronically.[45] E-Sign also lays out the ground rules for validating the authenticity of electronic signatures and ensuring that digital agreements are not improperly modified.[46] First, E-Sign requires that the customer consent to engage in electronic communications or they must be sent on paper.[47] Further, a customer may demand an electronic record to be produced on paper or by other means and may withdraw his or her consent for electronic communications at any time.[48]Withdrawing consent, of course, does not negate already agreed-to terms, but it does prevent future binding electronic agreements.

Together, these laws establish the legal legitimacy of electronic signatures, communications, and records in digital transactions. Because most states had already adopted the Uniform Electronic Transactions Act by the time Congress enacted E-Sign, the federal legislature decided to include a provision that, where they conflict, the federal law typically defers to the uniform act’s substantive requirements.[49]


Over the past decades, e-commerce has developed from an emerging industry to a regular part of our daily lives. Most of us purchase goods and services, post media, perform financial transactions, review proprietary information, and perform other important activities online on a regular basis. Fortunately, as electronic transactions have become more common, the law of digital commerce has developed solutions to some of the new issues raised by the internet age.

Despite the novelty of many electronic transactions, courts and legal scholars have worked out a relatively straightforward standard for review of contracts common in software and information technology transactions. Likewise, state and federal lawmakers have developed statutes setting forth requirements for validity and authenticity of electronic agreements and consumer protection agencies have created guidelines for mandatory disclosures and other best practices for fair dealing. These legal protections create a robust framework that helps to make sure e-commerce customers and businesses are protected in their daily activities.

2) Legal Privacy Protections in the Internet Age

            Privacy is not only a moral prerogative, it’s a legal right guaranteed by the Constitution, at least when it comes to government interference. However, in the modern age, technology has evolved to a point where much of our personal information is shared as data. Sometimes, we offer this information up voluntarily. Other times, it’s collected from our online activities. Regardless, personal information shared publicly raises important legal issues regarding privacy rights and the security of our virtual activities.

         This module begins with an overview of the constitutional foundations of the right to privacy in the United States, particularly as they have been applied in the age of electronic surveillance. The discussion then turns to the federal approach to online privacy and personal electronic data protection, including what the government does to protect private information it collects and stores electronically. The module closes with a discussion of national and state-level online privacy protection laws, which often function to protect consumers even across jurisdictional lines.

The Constitutional Right to Privacy

            The right to privacy against government interference stems from various constitutional provisions, most importantly the protection against unreasonable searches and seizures in the Fourth Amendment. However, this provision addresses only physical interferences with tangible things, specifically “persons, houses, papers, and effects.”[1] This leaves open the question of whether the constitutional right to privacy should extend to virtual interference with intangible things, like private communications and personal data.

           The landmark Supreme Court case of Katz v. United States in 1967 was the first major decision dealing with how technological advancements impact our right to privacy. [2]  The case involved an electronic listening device secretly installed on a public payphone by the FBI. The surveillance technology recorded Katz making illegal gambling wagers by phone. The FBI didn’t have a warrant for the device, so Katz challenged the evidence collected against him, claiming it was a violation of his Fourth Amendment rights. The Supreme Court agreed with Katz, holding that the Constitutional right to privacy extends to anyone who has a “reasonable expectation” that their information is private.[3]

           Since Katz, the courts have grappled with how new methods of physical detection impact the right to privacy. In Kyllo v. United States, [4] a federal law enforcement agent used a mobile thermal imager – a device created to detect heat signatures – to determine that the defendant was likely growing marijuana in his home.[5] The defendant argued that the heat signature evidence violated the Fourth Amendment because the thermal imager effectively searched his home without a warrant. The lower courts dismissed Kyllo’s argument, ruling that the defendant had no objectively reasonable expectation of privacy, as the thermal imager “did not expose any intimate details of Kyllo’s life.”[6] On appeal, however, the Supreme Court reversed. The Court held that the thermal imaging of Kyllo’s house constituted an intrusion into his home. Activities done behind closed doors, the Court ruled, are performed with a reasonable expectation of privacy even if technology allows infiltration without a physical intrusion.

           Over time, the courts have repeatedly considered which methods of government surveillance raise constitutional privacy concerns. This is an evolving field of law and whether a right to privacy is violated remains a case-by-case determination largely dependent on what is a reasonable expectation under the circumstances. Activities performed behind closed doors are presumed private, as evidenced by the very act of shielding them from view.

          But in the digital age, applying the concept can be murky. Things like metadata and digital cookies often collect data on our online activities even when we are using private computers on personal internet connections in the sanctity of our own homes. Although Supreme Court precedent has developed ways to protect people’s privacy from intrusions based on modern technology, case law has left several questions regarding cyber-privacy unresolved. As a result, state and federal legislators have developed laws designed to protect people’s rights to digital privacy.

Privacy Laws Regulating Government Activity

         The landmark Katz decision kicked off the development of several state and federal laws to protect privacy rights. In 1968, immediately following the Katz case, Congress enacted the Wiretap Act to protect privacy while also affording law enforcement the ability to intercept telephone communications under appropriate circumstances.[7] However, the Supreme Court ruled that the Act only covered the interception of telephone or oral communications, excepting a broad range of potentially private information that could be collected incident to the wiretap.[8] This caused Congress to expand the protections of the Wiretap Act, which it accomplished through the Electronic Communications Privacy Act of 1986.[9]

        This Act amended the existing statute regulating wiretaps to include the digital transmission of electronic data, creating an additional level of protection against the disclosure of electronic communications. The law outlaws the unauthorized interception of wire, oral, or electronic communications and lists the procedures the government must follow when using electronic surveillance devices. The law also includes the Stored Communications Act, which focuses on the privacy of stored electronic communications and the government’s access to them.[10]Congress enacted the law to update federal privacy laws to reflect recent advances in electronic communication technology.[11] All of the sudden, personal information was being recorded and transferred by mass e-mail operations, cell phones, computer-to-computer transmissions, teleconferencing software and a growing list of new technologies designed to facilitate communication.[12] The Electronic Communications Privacy Act preceded the World Wide Web, but it foreshadowed the legal issues raised by the long-term storage of data conducted by many modern online service providers.[13]

       As progressive as it was for its time, the Electronic Communications Privacy Act has recently attracted substantial criticism by technology companies and privacy advocates. Critics claim that the laws are not useful in the digital era because they fail to provide adequate privacy protections against evolving technologies that make use of personal information.[14]

      Over the past few years, there have been attempts at updating the Electronic Communications Privacy Act. In 2011, the Senate introduced a set of amendments that would have required law enforcement to obtain a search warrant before accessing the content of any electronic communication, no matter how long it had been stored and even if it had never been retrieved by the recipient.[15] In 2013, Representative Kevin Yoder introduced a similar bill in the House. However, these amendments never passed.[16] Proposed amendments to the Electronic Communications Privacy Act and Email Privacy Act were reintroduced in 2015, and they are still pending.[17]

       The Homeland Security Act of 2002, originally introduced in the aftermath of the September 11 terrorist attacks, represented one significant development in federal electronic privacy protections.  The primary mission of the Homeland Security Act was to prevent terrorist attacks in the United States, reduce the vulnerability of the United States to terrorism and minimize damage and assist in recovery from terrorist attacks that do occur.[18] However, the law also included staunch privacy protections designed to ensure that domestic citizens’ privacy rights remain intact despite the increase in law enforcement efforts. The law’s privacy-related objectives regulate the collection, use, and disclosure of personally identifiable information.

      Under this law, the federal government may not use certain technologies to monitor private activities without a warrant supported by probable cause. However, the effectiveness of this law has been questioned. Most notably, classified information leaked by former National Security Agency subcontractor Edward Snowden in 2013 indicated that state-sponsored domestic surveillance has been ongoing for some time.[19] Thus, although there is widespread support for amendments to the federal laws regulating electronic surveillance, it remains to be seen whether anything will come of it.

Private Information Stored Electronically

       The Privacy Act of 1974 was passed in response to the increasing collection and use of personal information by the government.[20] The Privacy Act established a code of so-called “fair information practices,” which governs the collection, maintenance, use, and dissemination of personal information that is recorded by the federal government.[21] It also requires consent before any personal information held by the government is disclosed, subject to some exemptions.[22]

        President Gerald Ford, a strong advocate of personal privacy, regarded the Privacy Act as an important “first step” toward safeguarding individuals.[23] While its protections were limited, the Privacy Act represented the first official embodiment of the fair information principles and practices that have been incorporated in many other online data protection efforts. Now, the notice and disclosure precedent set by the Privacy Act serves as the basic standard for privacy protections applied to electronic data and it has even been written into the laws of states. For example, Nevada and Minnesota have each passed similar laws requiring Internet Service Providers to comply with privacy rules pertaining to information they collect from customers.[24] As the internet becomes the dominant source for marketing, sales and the distribution of products and services, specialized laws are still being developed to protect people online.

National Online Privacy Protection

        Outside the realm of government activity, the United States has been slow to develop online privacy laws that prevent private companies from collecting, using, and sharing personal information collected from people’s virtual activities. In 2018, the European Union put into effect the General Data Protection Regulation, which requires companies using internet users’ personal data to first obtain consent. This protection extends to many types of information, including a person’s IP address and browsing history.[25] While many multinational companies operating in the United States and Europe have changed their privacy policies to reflect the new regulation, no such similar law exists in the United States.

       The U.S. does, however, protect the online privacy of children. By 1998, 10 million children in the United States had access to the internet.[26] Around that same time, researchers showed that young children are unable to understand the potential ramifications of revealing their personal information online. In response, Congress enacted the Children’s Online Privacy Protection Act, or “COPPA.” The Act has been administered by the Federal Trade Commission, which developed its own implementing regulation – the subsequent Children’s Online Privacy Protection Rule. COPPA sets forth privacy standards for websites “directed towards children” under the age of thirteen. The law and its supplemental regulations require these websites to give notice regarding the use and nature of information collected. COPPA also requires websites to obtain “verifiable parental consent” before collecting or using children’s personal information.[27] While COPPA was revolutionary when enacted, many have been calling for an overhaul providing stricter regulation on the collection and dissemination of personal information.[28] However, as it has been regarding most federal online privacy laws, Congress has been slow to react. Instead, most online privacy protection laws in the United States have come from states.[26]        

       Around that same time, researchers showed that young children are unable to understand the potential ramifications of revealing their personal information online. In response, Congress enacted the Children’s Online Privacy Protection Act, or “COPPA.” The Act has been administered by the Federal Trade Commission, which developed its own implementing regulation – the subsequent Children’s Online Privacy Protection Rule.

       COPPA sets forth privacy standards for websites “directed towards children” under the age of thirteen. The law and its supplemental regulations require these websites to give notice regarding the use and nature of information collected. COPPA also requires websites to obtain “verifiable parental consent” before collecting or using children’s personal information.[27] While COPPA was revolutionary when enacted, many have been calling for an overhaul providing stricter regulation on the collection and dissemination of personal information.[28] However, as it has been regarding most federal online privacy laws, Congress has been slow to react. Instead, most online privacy protection laws in the United States have come from states.

State-Level Online Privacy Protections

        One of the hallmarks of our federalist legal system is the ability for states to step in where federal laws are lacking. Recognizing the shortcomings in national online privacy protections, many state legislatures have passed laws that create the privacy protections. In fact, many states have passed laws regulating mandatory disclosures in the event personal digital information is accessed by hackers or other unauthorized sources.

        The California Online Privacy Protection Act was a landmark internet privacy law enacted in 2003. It applies to anyone whose website collects personally identifiable information from California consumers. It requires operators to post privacy policies on websites in conspicuous places. It also requires compliance with the published privacy policies and gives consumers opportunities to opt out of data collection practices. The law requires all websites serving customers in California to identify the categories of personally identifiable information that it collects and requires website owners to comply with any “Do Not Track” requests.[29]

        Many state legislatures have followed California’s lead in establishing online privacy protections for in-state e-commerce customers. Connecticut, for example, requires any company that collects social security numbers to create and display an enforceable privacy protection policy. The policy must be sufficient to protect the social security numbers from disclosure and to prevent unauthorized access.[30] Delaware follows California’s restrictive approach to online consumer privacy protection, requiring all e-commerce websites and mobile apps that collect personally identifiable information to provide clear notice of their activities to all web customers.[31] Likewise, Nevada’s online privacy law requires websites collecting personally identifiable information to notify customers how their information is being used.[32] Utah also requires businesses to disclose any personal information that they share or sell to a third party, although this statute is not expressly limited to online businesses.[33]


            There is no uniform legal structure to safeguard online privacy. While Congress has passed laws preventing unauthorized access or use of electronic information by the federal government, noncompliance appears to be a major challenge to the enforcement of these laws. Attempts at strengthening federal electronic privacy protections have been introduced but not enacted.  Still, many states have passed their own laws aimed at protecting personal privacy. Likewise, e-commerce sites that allow access to users from the European Union must now receive consent before collecting private information. While these requirements do not hold legal weight in every U.S. jurisdiction, they do create significant privacy protections simply by the non-jurisdictional nature of e-commerce activities. In other words, because many of the websites we use every day are also active in Europe, California and jurisdictions with similar privacy protection laws, many Americans are receiving the protections afforded by these jurisdictions even though they do not reside within them.

3) Online Consumer Protection in E-Commerce Transactions

In today’s digital world, consumers can manage all sorts of personal financial activities online. This includes everyday transactions like shopping and banking and more specialized online financial activities like gambling, charitable giving and online auctions. To protect the growing number of consumers who are active online, federal lawmakers have developed laws and policies designed to help ensure the safety of consumer transactions in e-commerce.  Without these legal protections, consumers would be subject to scams, fraud and other illicit activities that put their personal finances and privacy at risk. 

This module discusses legislation that addresses consumer protection and combats internet and computer fraud. The analysis begins with an overview of the development of e-commerce consumer protection laws in the U.S., highlighting the origins of the growing field of online consumer rights. Next, we’ll dig into the more recent federal laws developed to address common online consumer issues, including unsolicited emails, and legal protections afforded to online retail shoppers. Following this more specific analysis, the discussion turns to the regulatory system that helps ensure federal online consumer protection laws are properly enforced.

Development of U.S. E-Commerce Consumer Protection Laws

By the 1980’s, Congress became concerned with the lack of law enforcement directives for internet crimes. While telecommunications fraud statutes often extended to e-commerce communications, there was a need for new laws addressing computer-related crimes and frauds. In 1986, Congress enacted the Computer Fraud and Abuse Act, a law that prohibits anyone from accessing a computer or computer network without the owner’s consent.[1] This early law criminalized hacking, cybertheft and destruction of private and classified information, and it penalized the theft of property in which a computer was used.

The Computer Fraud and Abuse Act continues to maintain its relevance in combating e-commerce fraud. In fact, Congress has amended the Act several times to address the growing sophistication of cybercriminals. As amended, the Act criminalizes even the mere threat of damaging another person’s computer equipment, stealing computer data, publicly disseminating stolen data and refusing to repair damage the offender caused to one’s computer, such as through ransomware. Moreover, under certain circumstances, the law permits victims of computer fraud the right to bring civil actions against offenders for injunctive and compensatory relief.[2]

Many of the existing consumer protection laws that apply specifically to internet transactions were developed from laws regulating commercial activity by telephone. The prevention of telephone-based fraud remains an important law enforcement prerogative. In fact, the most prevalent complaint the Federal Communications Commission receives from consumers is that of unwanted, unsolicited telephone calls.[3] 

The most significant regulations for businesses who advertise by phone apply to those who practice robocalling. Robocalling is the use of an automated telephone dialing system that employs prerecorded voice messages or other artificial means.[4]  While there are some legitimate uses for robocalling, such as advocacy for political candidates or charitable organizations, more often, it is used as a means to perpetrate a scam, such as fraudulently obtaining one’s personal information to commit identity theft.[5]  In response to the potential consumer protection issues raised by the practice, Congress enacted the Telephone Consumer Protection Act of 1991.[6]

Among other things, the Telephone Consumer Protection Act requires entities who regularly make commercial or solicitation calls to maintain do not call lists. In 2003, Congress updated the Act to establish a national do not call registry. This amendment also required telemarketers to “scrub” their telephone number databases of any numbers included on the national list.[7]  Additionally, the Act requires a robocaller to identify the organization that is calling and provide its telephone number and address.[8]  The Act was again modified in 2012 to require telemarketers to obtain written consent from consumers prior to robocalling them and to close loopholes allowed by broad exemptions in the prior law. The amendments also required telemarketers to provide automated, interactive ‘opt-out’ mechanisms that consumers can use to immediately tell telemarketers to stop calling.[9]  In 2017, the Federal Communications Commission adopted rules that allowed telephone companies to preemptively block calls they believe to be fraudulent. These numbers are targeted because they are either invalid – meaning that they use non-existent area codes, do not belong to a service provider or are not currently in use – or seem to be unable to make outgoing calls.[10]  

Federal Laws Regulating Unsolicited Emails, SPAM, and Spyware

As email became more and more popular after the turn of the millennium, lawmakers became concerned about the potential for consumer abuse in the form of unsolicited or fraudulent emails. In 2003, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, more commonly referred to as the CAN-SPAM Act.[11]  This law represents a progression in the development of federal e-commerce consumer protection laws, which had previously focused on telephone calls and the nearly obsolete fax machine.

The CAN-SPAM Act addresses e-mails sent as commercial advertisements or promotions of commercial products or services. Every business that sends unsolicited or commercial emails should be aware of the law’s requirements. First, CAN-SPAM prohibits emails from including false or misleading subject headings. The law also requires the subject line to be accurate and the message to be clearly identified. Additionally, CAN-SPAM requires the sender to include its postal address in the subject matter and notify recipients of their ability to opt out of future emails. The law requires the sender to honor those opt-out requests within ten days of receipt and it includes a prohibition against charging recipients for the service. 

CAN-SPAM also prohibits the sale or transfer of a recipient’s email address, subject to limited exemptions.  Finally, the law prohibits organizations from avoiding compliance with the law. For example, a company that is selling a product but uses a third-party to promote that product via email remains legally responsible for the actions of the third party. CAN-SPAN’s broad set of anti-fraud policies are designed to punish and deter consumer abuse perpetrated via email. The law provides for strict penalties for statutory violations, including fines of over $40,000 per violation.[12] 

CAN-SPAM also differentiates between commercial content and transactional content. To determine an email’s primary purpose under the law, regulators look from the perspective of a reasonable consumer looking at the subject line of an unsolicited email. If the recipient would likely interpret the subject line to indicate that the message contains a commercial advertisement or promotion, then the email is considered to be commercial in nature. An email is transactional in nature, on the other hand, if the content of the email message pertains to a transaction a consumer made with an organization, such as a product warranty, recall or similar required notice; concerns changes in terms of agreements or provides account balance information; concerns an employment arrangement; or provides good or services that the consumer has already authorized. Transactional emails are exempt from CAN-SPAM’s main restrictions.[13]

Another important law protecting consumers online is the Undertaking Spam, Spyware, and Fraud Enforcement with Enforcers Beyond Borders Act of 2006,[14] more commonly known as the SAFE WEB Act.  SAFE WEB’s primary purpose is to “fight spam, spyware, and Internet fraud and deception.”[15] The law represents an expansion of the policies already established by the Computer Fraud and Abuse act and the CAN-SPAM Act. Whereas other acts focused primarily on addressing consumer fraud on a national level, the SAFE WEB Act targeted global fraud issues to protect American consumers.[16]   

SAFE WEB offers important consumer safeguards relevant to spyware, spam, and other internet attacks, which represent a growing global concern. In 2004, regulators received over 860,000 complaints regarding spam, spyware, and internet fraud. By 2014, this figure tripled to well over 2.5 million complaints.[17]  These figures provide convincing support for increased legislative and regulatory measures combating internet fraud. To help address the issue, the SAFE WEB Act expands the FTC’s discretion in combating international computer fraud targeting United States citizens. For example, the SAFE WEB Act permits the Federal Trade Commission to share its confidential data with foreign law enforcement agencies.  This allows the agencies to cooperate with foreign law enforcement officials to help curb internet activity supporting international fraud. This cooperation allows for more comprehensive policing of international illegal activity and incentives other countries into sharing reciprocal information.[18] 

Online Retail Consumer Protections

These laws all protect some aspect of online consumer activity. Laws have been placed on the books addressing unauthorized access of consumer financial information, hacking and computer fraud and commercial advertisements made via email. Another important area is the laws and regulations addressing online retail customers.

To create additional protections for consumers purchasing goods online, Congress passed the Restore Online Shoppers’ Confidence Act, also known as ROSCA, in 2010.[19]  ROSCA fills gaps in the growing field of online consumer protection. For example, the law regulates a practice known as data pass, which occurs when an online shopper makes a purchase with an initial merchant, but that merchant then uses a third party to process the payment.  Without regulation, this opens the door for the third party to sell the customer’s data, making a profit off of the unknowing consumer’s personal information. ROSCA prohibits the practice of data passing to prevent the sale of personal retail consumer information.

In addition, ROSCA imposes requirements on negative option features.  According to the Federal Trade Commission, a negative option feature is an offer to sell goods or services that includes a provision that makes the customer’s silence or failure to affirmatively reject the goods or services an acceptance of the offer.[20] Companies offering negative options often rely on consumers either forgetting or not realizing that they’re being perpetually billed. That’s because negative option features are often employed when a company offers a customer a free service or product, but at the time of registration, requires the customer to include credit or debit card information.  Then, the consumer becomes enrolled in a subscription plan or membership.[21] 

ROSCA does not make negative option features illegal. Rather, the law requires online sellers to ensure that consumers who sign up for subscription plans intend to enter into such agreement.  Therefore, ROSCA prohibits a company from initiating a negative option plan unless it clearly and conspicuously discloses all material terms of the transaction before the consumer submits billing information. The company must also obtain a consumer’s informed consent before charging his or her account, and the law requires simple mechanisms for consumers to prevent unwanted recurring charges.[22] Like the suite of other federal online consumer protection laws, ROSCA imposes hefty civil penalties for anyone found to be in violation of the law. A ROSCA penalty can be as much as $16,000 per violation, in addition to any restitution payments and/or equitable relief required to make the victimized consumers whole again.[23]

Administrative Regulations to Protect Online Consumers

The two executive agencies most involved with protecting online consumers are the Federal Trade Commission, or the “FTC” and the Federal Communications Commission, or “FCC.” Although those two agencies initially worked independently, over time it became necessary to clarify jurisdictional issues with regard to each agency’s roles and responsibilities regarding consumer complaints against internet service providers.  As a result, in December 2017 the agencies entered into a formal agreement to coordinate their efforts to more effectively protect online consumers. The agreement reflects updated policy initiatives that have been put into place under the Trump administration, particularly regarding the changes in online consumer protection that have followed the new leadership’s change in policy.[24] Most notably, this includes the “Restoring Internet Freedom” Order that effectively repealed the Obama administration’s broad net neutrality policy.[25] In general, the Trump-era Federal Communications Commission has taken a “light touch” to regulating internet commerce, preferring instead to encourage creativity and innovation by relaxing the previously expansive requirements regarding internet consumer access.[26]

The FCC and the FTC share regulatory jurisdiction in the field of online consumer protection, and the memorandum of understanding executed by the agencies divides roles and responsibilities broadly based upon the agencies’ respective mandates. For example, the FCC is required to promote transparency in online communications pursuant to the requirements of its mandate. To fulfill this requirement, the agency will monitor online markets and identify obstructive business practices. This includes reviewing informal consumer complaints and performing investigations where appropriate. The FTC, on the other hand, is responsible for preventing unfair and deceptive business practices in online commerce. So, while the FCC is responsible for reviewing consumer complaints, the FTC investigates and takes enforcement actions against those alleged to have violated applicable laws.[27] 

In addition to the cooperative enforcement of online consumer protection laws established by the agreement between the FCC and FTC, the FTC imposes a suite of rules specifically addressing consumer protection in online advertisements.  Most significantly, the FTC issued its Dot Com Disclosures guidance document in 2000 after an opportunity for public comment and notice. [28] While the details of the FTC’s policies outlined in the Dot Com disclosures are discussed in greater detail in Module 1, it bears mentioning that the agency closely regulates the form and content of information distributed in e-commerce to prevent unfair or deceptive practices. 

To ensure consumers are properly protected from false or misleading ads, the FTC requires all advertisements and other commercial communications made online to be clear and conspicuous. This standard is subjective, meaning that the question of whether a particular piece of information shared in e-commerce is deceptive or unfair rests on the perspective of the customer. Representations about commercial products or services made online must be easily visible and understandable to the average consumer, and the agency places the responsibility on the website owner to ensure that consumers receive fair and accurate information.[29]


Over the past thirty years, federal laws have developed a robust suite of online consumer protections that regulate common activities that consumers undertake online. However, these laws must constantly be revisited to address the growing needs of online consumers. With the perpetual advancement in technology, it is unclear how effective the existing online consumer protection law enforcement scheme will be in coming years.  As a result, Congress may need to consider crafting additional laws to address consumer privacy concerns and ongoing consumer fraud issues.

4) Taxation in E-Commerce

            When internet businesses first entered the mainstream in the 1990s, few people were able to predict the transformational impact e-commerce would have on the U.S. economy. In 1999, total online retail sales in the United States amounted to about $15 billion, or approximately one-half of one percent of all retail sales nationwide.[1] By 2016, this figure had skyrocketed to over $389 billion, with e-commerce amounting to eight percent of total retail sales.[2] This type of growth is nearly unparalleled in U.S. economic history, and lawmakers have worked to develop rules for the e-commerce industry that ensure both continued development and effective regulation of this increasingly important market. This is particularly true in the development of e-commerce tax laws, which have recently shifted focus from facilitating growth in e-commerce markets to ensuring that online businesses contribute their fair share of revenues to the public coffers.

This module explains how e-commerce activities are taxed. The discussion begins with how e-commerce taxes arose in an environment designed to protect this burgeoning industry from undue financial and regulatory burden. Next, the analysis highlights recent developments in e-commerce taxation that have shifted national policy. These developments will impact online businesses. The module closes with a discussion of tax issues associated with business activity common across e-commerce, including online auctions, credit card and third-party payment network transactions, and virtual or “crypto” currency activities.

Protective e-Commerce Tax Policies

            As e-commerce was first establishing itself in the U.S. economy, federal lawmakers wanted to make sure that this promising new market had the opportunity to grow without unnecessarily burdensome regulation and taxation. To this end, Congress passed the Internet Tax Freedom Act in 1998.[3] This law imposed a three-year moratorium on duplicate or discriminatory taxes levied on e-commerce activities. This law also precluded state and local governments from taxing internet access, a policy which was made permanent with the enactment of the Trade Facilitation and Trade Enforcement Act of 2015.[4] However, internet access is still taxed in seven of the 50 states, as these jurisdictions had pre-existing internet laws that were preserved by the Internet Tax Freedom Act’s “grandfather” clause.[5]

            In addition to banning taxation on internet access, the Internet Tax Freedom Act prohibits multiple jurisdictions from levying taxes on the same e-commerce transaction. This limits sales or use taxes levied against e-commerce companies to the state or county in which the transaction takes place.[6] So, for example, an e-commerce company based in New York that ships an order to customers in New Jersey could be taxed on the transaction by either New York or New Jersey, but not both.

            Protective tax policies for e-commerce transactions originate from the Commerce Clause in the Constitution.[7] The Supreme Court has interpreted the Commerce Clause to prevent the states from passing laws that have the effect of discriminating against certain activities in interstate commerce. This prohibition has been applied by federal legislation to online businesses by the Internet Tax Freedom Act’s ban on discriminatory e-commerce taxes, which prevents state and local governments from imposing taxes on electronic transactions that are higher than they would be for identical activities performed at brick-and-mortar businesses.[8]

            Tax policies embodied in the Internet Tax Freedom Act reflect national support for electronic business. However, as e-commerce companies have increased their market power, concerns regarding the dampening effects of taxation have subsided. In fact, the Supreme Court recently established that some types of state and local taxes can be levied against online businesses without running afoul of the Commerce Clause.

Recent Developments in e-Commerce Taxation

            The Internet Tax Freedom Act was passed during a time of lax e-commerce taxation. This conservative approach was largely due to the Supreme Court’s interpretation of how the Commerce Clause applies to taxation in e-commerce in the case of Quill Corporation v. North Dakota. The Quill precedent required that e-commerce companies have a physical presence or a business nexus to a state before that state would be allowed to tax their activities. Thus, under Quill, states could not collect sales tax from purchases that state residents made from out-of-state companies.[9]  However, the Quill precedent has been discarded in favor of a more liberal e-commerce tax policy, as we’ll discuss shortly.

Another reason the federal government was slow to warm up to the idea of allowing state and local governments to tax e-commerce transactions was the practical concern of how difficult it would be for online companies to comply with the tax policies of every state to which they shipped . Forty-five states and Washington D.C. collect sales taxes and most of them also allow municipalities and local governments to levy taxes.[10]  Thus, e-commerce companies face the potentially daunting task of complying with dozens, if not hundreds, of tax policies from every jurisdiction in which they have customers . These jurisdictions vary with respect to what e-commerce activities are taxable, the applicable sales tax rate and when and how often sellers must file tax returns. Effective compliance would be extremely burdensome, and when Quill was heard back in the early 1990s the Supreme Court viewed this compliance burden as an unconstitutional burden on e-commerce companies’ abilities to engage in interstate commerce.

The basis for this ruling dated back to 1967, well before the internet was invented. Then, the Supreme Court struck down the State of Illinois’ policy of charging state sales tax on catalog companies selling in Illinois but located out of state. The case, commonly known as the Bellas Hess case, held that the complexity of requiring out-of-state sellers to comply with the sales tax requirements of every customer’s jurisdiction would be an unconstitutional burden on interstate commerce.[11] The Court applied the Bellas Hess precedent decades later in the Quill case.

However, in 2018, Quill was overturned by a landmark decision in South Dakota v. Wayfair, Inc. Wayfair involved a South Dakota law that imposed sales taxes on out-of-state vendors providing goods to state residents. The law included several exemptions and safe harbor terms designed to protect small e-commerce companies from undue burdens associated with out-of-state taxation.

South Dakota began enforcing its new tax policy against major e-commerce retailers active in the state, including, Newegg, and Wayfair. Both the trial and appellate courts hearing South Dakota’s enforcement cases struck down the law under the Supreme Court’s precedent in the Quill case. In reviewing the case, the United States Supreme Court determined that the changes that have occurred in the e-commerce markets over the past two decades necessitated a departure from the outdated precedent set forth in Quill.[12]  The technical challenges associated with state and local sales tax compliance have declined substantially due to e-filing and the plethora of bookkeeping and tax preparation software on the market today. As a result, compliance is no longer a burden on interstate commerce.

State and Local E-Commerce Taxes After Wayfair

While some concerns remain regarding the long-term impacts the Wayfair decision will have on e-commerce activity, the Supreme Court clarified that permissible state and local sales tax laws must be designed to prevent unnecessary burdens on interstate commerce. For example, the South Dakota law under review included a safe harbor provision for small e-commerce retailers, a prohibition on retroactive taxation and a set of clear, uniform, and simple methods that companies can follow to ensure compliance with the law.[13] Thus, the Wayfair case did not simply unleash the floodgates of taxation on e-commerce retailers. Rather, the ruling allows state and local governments to tax e-commerce sales only when the applicable tax rules are designed for simple compliance and do not improperly burden commerce. Additionally, state and local governments are still barred from imposing sales tax on internet access by the Internet Tax Freedom Act and subsequent amendments.

The Supreme Court’s decision in Wayfair caught many tax policy experts by surprise, but some e-commerce companies saw this change in law coming well in advance. In fact,, the world’s largest retail e-commerce company, began collecting state sales tax on all direct sales in 2017. However, the retail giant has been less generous when it comes to local taxes. In at least six states –Alaska, Idaho, Iowa, Mississippi, New Mexico, and Pennsylvania – Amazon was not fully complying with local tax laws.[14] This has placed some local governments at a disadvantage, as the Government Accountability Office recently estimated that taxing all e-commerce sales would net state and local governments between $8 billion and $13 billion in additional tax revenues.[15] Now that the Wayfair decision clarified these jurisdictions’ authority to require e-commerce sales to pay local taxes, it’s expected that more e-commerce retailers will charge both state and local sales tax where required.

Practical Taxation Issues Unique to E-Commerce

            The internet revolution has given rise to several new ways to buy and sell things online, as well as new technologies designed specifically for the processing of electronic payments. These include online auctions, secure credit card transactions and the new wave of virtual or “crypto” currency and related financial services. Each of these activities is subject to taxation under the federal tax code in addition to any state or local sales or use taxes that may apply.

            Online auctions have become increasingly common since e-commerce giant eBay first launched in 1995. This site and the thousands that have followed offer marketplaces for direct person-to-person trading, propelling online auctions well into the world of mainstream retail.[16] Often, the entities selling goods in online auctions are laypeople who don’t think they have to report this income on their tax returns. However, proceeds from nearly any auction – whether online or physical – are taxable unless the circumstances merit specific exemption. Depending on the way the online auction is carried out, this may include individual income tax, business income tax, self-employment tax and/or excise taxes like sales and use taxes. The IRS does not levy taxes against all online auctions, and the agency generally does not require people to report auction proceeds “akin to an occasional garage or yard sale.”[17] However, any entity that sells goods through online auctions as a regular business activity or hobby must report its profits to the IRS on its tax return.

            Credit card companies and third party financial networks like PayPal or Venmo must abide by the reporting requirements found in Section 6050W of the Internal Revenue Code. Credit card and third-party payment companies are legally required to document and report the gross amounts paid to individuals and companies who have performed more than 200 transactions totaling $20,000 or more across their payment networks. Section 6050W requires these financial service companies to file informational returns with both the IRS and the company that accepted the credit card or third-party payment.[18]

Although the IRS does not collect taxes directly based on these informational returns, this sort of third-party reporting has been shown to increase compliance with applicable tax laws. When the IRS receives a report of revenues generated by credit card or payment networks, which are submitted to the agency and the payments recipient on a Form 1099-K, it can use this information to check the accuracy of income reported on the business’ returns and identify non-filers.[19] Thus, the rule is a key tool that the IRS uses to help ensure online payments are reported and taxed appropriately.


With the rise of cryptocurrencies, a new type of financial product powered by blockchain technology, the IRS has had to develop a new approach to collecting tax revenues on online transactions.

Cryptocurrencies, also known as virtual currencies or coins, are software programs used as digital representations of real-world economic value. Just like cash or credit card transactions, they are used as a means of exchange, unit of account or store of economic value.[20] However, the fact that cryptocurrencies are used to purchase goods and services as well as for investment and trading purposes has led to some confusion regarding the proper tax treatment of this new financial technology.

In 2014, the Internal Revenue Service issued a policy statement that shed some light on the federal taxation of virtual currencies. In this statement, the IRS explained that cryptocurrencies may be used for the purchase and sale of goods. Some cryptocurrencies are also convertible into U.S. dollars, just like stocks or bonds. Because they are convertible, the IRS concluded that these types of virtual currency profits should be taxed as property rather than income. Thus, profits made from either investing in or accepting payments in these forms of cryptocurrencies are taxed according to the capital gains tax rates. This means that every convertible cryptocurrency transaction – whether made as a payment for goods or services or as a revenue-generating investment – is a taxable transaction that must be reported to the IRS. [21]


            The digital revolution has changed our economic reality. Now, many of the activities that used to bring consumers to brick-and-mortar establishments are performed entirely online. This has transformed the U.S. economy, and it has forced lawmakers to grapple with the growing presence of e-commerce in consumer and business finance. As a result, the federal and state laws regulating e-commerce transactions have developed substantially over time, and tax policy has been no exception.

5) Regulation of Online Financial Transactions

Since the turn of the millennium, electronic transactions have grown in popularity from a specialized financial niche to one of the most common ways people exchange money. In 2010, non-cash transactions amounted to about $282 billion worldwide. E-commerce and the growing availability of electronic financial services has caused this figure to increase substantially. In 2015, non-cash transactions totaled over $430 billion, and this figure is expected to top $725 billion by 2020.[1] In response to the growth in electronic transactions over the past decade, federal and state lawmakers have worked alongside the electronic payment processing industry to develop laws, regulations, and best practices meant to ensure that online payments are verifiable and secure.  

This module discusses the legal landscape of common e-commerce financial transactions. The analysis begins with a discussion of the Financial Services Modernization Act, a federal law that serves as the linchpin for further regulation of electronic transactions. Next, the focus shifts to federal rules requiring certain business practices regarding electronic payments and then to a discussion about the measures that the electronic payment processing industry has taken on its own initiative to make e-commerce transactions more secure. The module closes with a brief overview of special topics in online financial activities.

The Financial Services Modernization Act

Unlike analog transactions, electronic payments require payees and recipients to maintain sensitive financial information that is accessible online. While this lays the groundwork for the ease and convenience of sending money with a click, it also exposes people to a great deal of risk. Congress identified this risk early in the digital revolution and responded by passing the Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act, in 1999.[2]

The Act addresses privacy issues in digital and analog financial transactions. Specifically, it applies to anyone who obtains a financial product or service from any financial institution, either online or brick-and-mortar. However, it is particularly relevant to payments made in e-commerce because it addresses concerns related to consumer privacy in electronic financial transactions. This includes most online credit card transactions, which are also known as “card not present” payments.[3] 

The Act requires financial institutions to protect consumers’ “nonpublic” personal information, which includes information consumers must provide to obtain financial products and services, such as their names, addresses, yearly incomes and Social Security numbers.[4]  It also includes information the financial institution gathers from the financial transaction, such as consumers’ account numbers, payment histories, account balances and credit or debit card purchases.[5]  Nonpublic personal information also includes information that others can derive from the underlying financial transaction, such as court records or consumer reports.[6]

To protect consumers from potential fraud and abuse, the Act limits a financial institutions’ ability to disclose nonpublic personal information and imposes mandatory disclosure and notice requirements when disclosures are made. When disseminating any nonpublic personal information, a financial institution must provide consumers with information on its privacy policies and practices. The consumer must also be provided with the chance to “opt out” of the disclosure if the information is going to a non-affiliated third party, such as an independent research organization or an online retailer, subject to limited exceptions. The Act further prohibits financial institutions from sharing nonpublic personal information with third parties for marketing purposes.[7]

Several agencies are responsible for administering the requirements of the Act, with the FDIC chief among them. The Federal Trade Commission has also issued a set of rules aimed at protecting customers and their personal financial information when they make online transactions.

Federal Rules Regulating Electronic Financial Transactions

Since the passage of the Financial Services Modernization Act, regulatory agencies have developed a suite of rules and policies designed to implement the law. In 2007, the Federal Trade Commission developed a set of regulations specifically designed to address security and consumer protection concerns created by online transactions. These regulations are commonly known as the “Red Flag Rules.”[8]  

These rules impose requirements on businesses and other organizations that accept electronic payments. First, anyone who falls under FTC jurisdiction must implement an identity theft prevention program that can detect known ‘red flags’ of identity theft. These include any suspicious pattern, practice or activity that indicates possible identity theft.[9] Placing the responsibility on the organizations receiving online payments helps ensure that enforcement and deterrence of e-commerce crimes starts at the grass-roots level.

The Red Flag Rules apply to banks, savings and loan associations, mutual savings banks and federal credit unions. They also cover businesses that qualify as “creditors” with “covered accounts.” The process of determining whether an organization is covered involves a close review of its business activities, particularly regarding accounts receivable and how accounts are accessed during business operations. These organizations must implement this identity theft prevention plan in their day-to-day operations and take other steps that may be necessary to prevent and mitigate online financial crimes.[10]    

To comply with the Red Flag Rules, businesses must satisfy four key elements. First, businesses must identify potential red flags that could lead to identity theft during standard day-to-day operations. Second, businesses must create a system or program that detects identified potential red flags. Third, the business must detail actions that they will take to respond to detected red flags. Finally, the business must identify how it will remain current and up-to-date on identifying and addressing potential new threats.[11]

By way of example, imagine that an e-commerce company has identified changing IP addresses from payment accounts as a potential red flag for cyber theft. The rules require the company to design or purchase a system that can track IP addresses from payment accounts and alert the business when there is an unexpected change. Next, the company must have an official policy in place explaining what it will do to respond to the issue, such as by suspending the flagged account or sending notice of the change to the payee. As time goes on, the Red Flag Rules also require the company to regularly revisit its policy regarding changing IP addresses and revise it as necessary.

Self-Regulation and Industry Best Practices

            Industries tend to push back against regulations that impose costly compliance requirements. However, this has not been the case with the financial services industry, at least regarding electronic transactions. While federal rules and laws impose requirements on companies processing electronic fund transfers, the industry players themselves have created best-practices paradigms that create an effective system of self-regulation. In fact, most of the major security measures that consumers rely on today were created and enforced by the Payment Card Industry Security Standards Council. The Council is not a government agency, but rather it’s a coalition of major players in the financial services market, including American Express, Discover, JCB International, and Visa.[12]   

The Security Standards Council governs internationally, so the policies that it develops apply across jurisdictions. This is particularly important for online financial transactions, which are often performed in multiple jurisdictions. The Council’s role is to maintain payment security for any organization that stores, processes, or transmits data from credit card holders – which is by far the most common way consumers engage in e-commerce.          

Even though it does not carry the force of law, the Security Standards Council has proven to be very effective in imposing standards for electronic payments. For example, its standards require retailers to accept chip-embedded credit and debit cards. To make sure retailers followed this new security protocol, the Council contractually shifted liability for non-chip-card fraud from the card company to the retailer. So, if a retailer processes a chip-enabled card but uses the magnetic stripe instead of the inserted chip, the retailer would be liable for any data fraud that occurred.[13]  This poses enough of a deterrent to encourage widespread compliance with the chip-card policy.

Despite robust industry regulations, combating fraud in “card not present” transactions still has a long way to go.[14] These types of transactions, which are most common online, are not as easily remedied by the insertion of a special chip reader or similar technology. As card-not-present transaction fraud continues to pose a major issue in electronic payments and financial services, lawmakers and regulatory agencies are looking into the possibilities of creating special laws aimed at transactions performed online.

Specially-Regulated Online Financial Transactions

Electronic payments must be processed through financial services institutions, so laws regulating the banking and financial industry are the first line of defense against fraud and abuse. However, federal and state governments also have enacted laws that directly regulate the type and manner of allowable online financial transactions.  At the forefront of this new legal movement regarding transactions is the legality of online gambling and the regulation of cryptocurrencies.

Internet Gambling

Outside of a few jurisdictions that allow gambling, anyone who is looking to gamble on casino games or wager on sports books must do so online. The internet is replete with every type of gambling website, ranging from eye-catching electronic slot machines to the increasingly popular fantasy league. A 2018 case, Murphy v. National Collegiate Athletic Association, forced the Supreme Court to grapple with the question of whether the federal government could prohibit sports betting in states that wanted to allow the practice.

Murphy involved a challenge to the Professional and Amateur Sports Protection Act of 1992.[15]  The Act banned the practice of sports betting on the national level, subject to limited exemptions for states with certain pre-existing policies allowing the practice. The State of New Jersey challenged the law, arguing that the statute violated the Tenth Amendment’s prohibition against the federal government commandeering states’ rights. After many years of litigation, the Supreme Court eventually held that the Act was unconstitutional. The Court threw out the law, permitting New Jersey, or any other state for that matter, to implement legal sports betting programs.[16]

The repeal of the national ban on sports betting is a landmark in U.S. legal history. However, the Supreme Court’s decision only has a tangential effect on the world of online gambling. That’s because online gambling is also subject to the federal Unlawful Internet Gambling Enforcement Act of 2006.[17]  Under the Act, gambling businesses may not accept payments associated with a wager using the internet if the wager itself is unlawful under any federal or state law. The Murphy case does not de facto permit sports gambling nationwide, but rather, the decision opens the door for states to allow sports betting if they desire. So, state laws prohibiting gambling remain in effect unless the state chooses to repeal it.  Thus, online gambling may have become permissible on the federal level, but not necessarily on the state level. Online sports betting may now be legal in some states and illegal in others. However, the Unlawful Internet Gambling Act may still prohibit domestic companies from accepting wagers online so long as the practice remains illegal in some states. 

Cryptocurrency Regulation

            Cryptocurrencies, also known as virtual currencies or digital coins, represent a new type of financial product that is built on blockchain technology. Electronic transactions performed using cryptocurrencies run on peer-to-peer networks and are in some ways more efficient than transactions run through third-party vendors, like the financial institutions. They are not subject to the Financial Services Modernization Act and its implementing regulations.[18] 

Although cryptocurrency remains a fringe part of the online financial services industry, no discussion of e-commerce regulation in the United States would be complete without an overview of how this new technology is changing the regulatory landscape. Cryptocurrency popularity has increased dramatically over recent years.  However, the future of cryptocurrency regulation is dubious because the United States has yet to legally characterize cryptocurrency within its existing set of financial laws.

Moreover, no single federal agency has declared jurisdiction over cryptocurrencies.[19] Rather, virtual currencies are regulated by a veritable alphabet soup of federal agencies. The SEC treats cryptocurrencies like securities and demands all digital coin issuers and exchanges comply with the SEC Acts of 1933 and 1934.[20] The Commodity Futures Trading Commission, on the other hand, has defined some virtual currency transactions as “commodities” subject to the Commodity Exchange Act.[21] The Internal Revenue Service takes yet another approach – labeling cryptocurrencies as property subject to the capital gains tax rules.[22] The Department of Treasury has thrown its hat into the ring as well, and it is more inclined to treat digital coins as money or currency.[23]

For now, these agencies are taking a cooperative approach to cryptocurrency regulation. Collectively, federal agencies are starting to engage in massive law enforcement measures to curb fraud and abuse in cryptocurrency markets. Much of this is in response to the widespread use of cryptocurrencies in online criminal activities, including money laundering, identity theft, fraud, drug sales, tax evasion, and even ransom.[24] However, it is still unclear whether digital coins will be directly regulated as a currency, commodity, security, software, or anything else.


            Online purchases and electronic banking have become a standard part of our everyday lives. To ensure that digital transactions are performed in a safe and secure environment, lawmakers have developed a suite of policies prescribing proper practices for electronic financial activities. Electronic payment processors are primarily responsible for the ground-level enforcement of these laws and regulations and, in fact, they have developed a robust system of international self-regulation.

            Despite the significant developments made in the legal structures that regulate electronic financial activities, new issues are constantly arising. For example, the landmark case of Murphy v. NCAA may have raised more questions than it answered regarding the legality of online sports betting in the United States. Further, cryptocurrencies have puzzled federal regulators across several jurisdictions, as this new financial technology does not squarely fit into the existing regulatory structure. As the law and technology continue to evolve, it appears that one will constantly be playing catch-up to the other, and we can be sure that advancements in technology will bring up novel questions of laws for the legislatures and courts to grapple with.


Published by: Eaugrads

Evangelical Alumni Foundation seeks to fulfill "The Great Commandment and The Great Commission" to GOD's great economy. Each of us has great purpose as Sons of God. We are many in one body. Together, we are firmly planted by streams of water to bear fruits in all seasons. We shall not lack no good thing. Deuteronomy 1:11 God's Spiritual Billionaire's! Brief about our founder of Eaugrads: "JESUS"... "His pursuit of us is Relentless, His desire to Fight on our behalf is never ending; Despite the day to day distractions, designed to stop us from reaching our destinies, we can be sure of this... what God starts; He Finishes." Amen! Ministered By Tanya Harris, LLD

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s