Some parts of the world are slowly emerging from widespread shutdowns and stay at home orders, but flattening the curve may still be far in the future for others. This uncertainty has led many companies across the globe to look for ways to adapt their business models in order to reach consumers. Restaurants shuttered for dine-in meals have reopened for takeout-only orders, gyms and fitness studios faced with membership cancellations and refunds have made virtual workouts available to members electing to maintain their memberships, and retail stores that did not prioritize their online presence or channel now have no other way to reach potential customers. Companies with strong online sales in one market may be looking to expand into new markets. As consumer-facing businesses consider changes in their business models, avoiding legal pitfalls in some key areas is necessary for a successful transition.
How a business interacts with consumers is a key factor in determining basic legal issues that must be considered:
- For online sales, a domain name must be registered, and if there are sales outside the US, all domain names for other countries should be secured.
- For telephone marketing, steps should be been taken to ensure that the calls are made in accordance with applicable privacy and do-not-call laws, such as the US Telephone Consumer Privacy Act (TCPA).
- For text marketing, the delivery of text messages must comply with the TCPA and any anti-spam legislation in the target consumer’s home country (for example, CAN-SPAM in the US and the Canadian Anti-Spam Legislation, more commonly known as CASL, in Canada).
Online or phone sales terms need to be enforceable under the laws of the jurisdiction where the consumer is located:
- In the US, requiring consumers to take affirmative steps to agree to online sales terms is preferable to tacit or implied consent.Many states require confirming the terms of the order in an email.Similarly, in the UK and the European Union, distance selling regulations are prescriptive in their requirements for executing and confirming sales to consumers (such as providing a durable copy of the terms).
- In the US, depending on the type of good or service being delivered, the inclusion of a class action waiver and arbitration clause may be a useful way to mitigate against the risk of consumer claims.
- Some jurisdictions, like the US, have website accessibility requirements. Businesses should determine if they are required to comply under Title III of the Americans with Disabilities Act (ADA) and applicable state law (e.g., California Unruh Act).
- Consumer protection laws generally require transparency in various forms. For example, in Europe, prices may need to indicate any applicable tax, or consumers’ statutory rights may need to be posted in extenso. In California, the Civil Code requires a consumer protection notice, and the California Transparency in Supply Chains Act of 2010 requires a disclosure to consumers. Statutes may dictate where on the site such notices must appear.
- If memberships automatically renew or if consumers are automatically charged for recurring payments, state and federal laws may require disclosures to consumers in order for those recurring charges to be enforceable.To the extent that membership terms materially change – and online-only availability may be such a change – the business may be required to provide a consumer with the option to cancel the membership.
- For businesses operating globally, in many jurisdictions around the world online terms will not be enforceable unless translated into the local language.At the same time, addressing consumers in the local language may trigger application of local e-commerce and privacy legislation; businesses are encouraged to carefully consider the implications of targeting a certain geography.
- Payment information is high-risk and a frequent target for criminals. Specialized vendors can manage payment information so that the business does not touch – and indeed never touches – any payment information. Payment processors should support online processing, and some processors can also assist in cash collection and management.
- If a business’s existing merchant processing agreement does not include electronic payment gateway services (which authenticate customer credit card information and obtain authorization for payment), then an agreement with a payment gateway service provider acceptable to the payment processor will be necessary.
- In the current environment, it is advisable to limit the extent of payment processing that requires the need for personal contact (such as restaurants now engaging in drive-in takeout) by using contactless payment methods.
Regulatory framework for goods and services
Depending on the goods and services being provided, a regulatory assessment, and perhaps additional terms, may be required:
- Some businesses are pivoting their offerings to include gloves, masks, and other types of personal protective equipment (PPE).In the US, though some of the Food and Drug Administration (FDA) requirements are being relaxed to facilitate the supply of PPE, businesses must ensure that the goods being offered comply with the appropriate FDA or other regulatory requirements for import, labeling, packaging, safe handling, and sale. Products that do not comply with a specific standard but may otherwise be lawfully sold must not be offered under claims of conformity that are misleading.
- More generally, businesses should be cognizant of the fact that any statements or claims made on a website will be reviewed by regulatory agencies (such as the FDA and Federal Trade Commission (FTC) in the US) like claims made on a product.Thus, the same level of compliance scrutiny should be applied to websites as to on-product claims.
- Businesses may consider partnerships with other industry leaders to provide access to a different and compliant platform, but any such partnerships must be compliant with the antitrust laws (which in some regions, such as the EU, have been relaxed for the purpose of fighting the pandemic).
- Virtual workouts should include appropriate health and safety disclaimers to mitigate against personal injury liability.
- It is important to assess whether unique state or national laws may apply to products if they are sold into different geographies. For example, some consumer goods (such as alcohol) may be subject to US state laws that are often inconsistent and may limit the distribution of goods across state borders or require additional permits or registrations.
Content and Intellectual Property
The content and material that is available on a website may be considered proprietary. Taking appropriate steps to ensure that this information is protected can help a business maintain a competitive advantage:
- Register and clear in all relevant geographies the logos, trademarks, and service marks that a business claims to own.
- Consider copyright registrations in proprietary materials used on the website.
- Use of third-party trademarks, photos, and videos should either be licensed from the owner or cleared for use under any applicable fair use principles.
- If a business maintains a site where users can provide their own content (commonly referred to as user-generated content, or UGC), implement a takedown procedure or policy for material posted on the website that infringes third-party copyright.
- Ensure that there are online terms that protect the intellectual property on the website.
- Producing and making video content available will require appropriate consents and releases from the participants who appear in the video.
Data privacy and security
Data privacy and breach notification laws are ubiquitous across the globe, and compliance is sometimes seen as a necessary annoyance. But adopting best practices in privacy compliance and implementing and maintaining robust data security also build consumer trust and reinforce brand reputation at a time when consumers are increasingly concerned about their privacy. Businesses may need to consider a number of different requirements:
- Businesses should start by assessing carefully which privacy laws apply to their activities. A US domestic website will likely not need to adhere to European cookies regulations, but may well be subject to the California Consumer Privacy Act’s (CCPA) “Do Not Sell” requirements because it uses website trackers. Properly scoping the applicable laws at the outset will help ensure a more efficient rollout of the website or service, regardless of the target audience.
- Under the CCPA as well as data protection laws in more than 100 countries, transparency about personal information processing is a fundamental obligation for any business collecting that information. Depending on the target markets, one or more privacy policies or notices will be required for the website, mobile app, or even in-store pickup. In some jurisdictions – notably in Asia – consent may also be required.
- Website security must be a top priority. A significant number of personal data breaches can be traced back to improper coding, maintenance or updates of websites, or use of live data in website development projects. Businesses must ensure adequate resources and auditing of all website development activities, whether conducted internally or by a vendor. And when there is a leak, it is critical to have a well-rehearsed incident response plan in order to mitigate harm to consumers and to the business.
Marketing and promotions
As businesses develop these new channels, launching web-based promotions to reach a new and expanded base requires compliance with a distinct set of rules regarding the disclosure of the details of offers, timing of offers, expiration of offers, and treatment of information as a result, including, for example:
- If a company, product, or promotion is endorsed by an individual with a pre-existing relationship to the company (for example, an employee, a paid influencer, or even an entrant into a company’s sweepstakes), this generally must be disclosed with the endorsement.
- Marketing strategies such as “email a friend” to get a “free product” are also subject to scrutiny; these campaigns must consider compliance with the CAN-SPAM Act regarding electronic communication restrictions and disclosures, as well as FTC guidance and state laws pertaining to free offers.
- Marketing campaigns designed to raise money online for COVID-19 related charities are generally governed by commercial charitable co-venture and charitable sales promotion laws. For example, an offer to donate 5 percent of all online sales for the month of May would fall within this category. Generally, these laws require a for-profit business to (i) enter into a written contract with the charity including mandatory terms; (ii) file/register/bond the promotion with the state; (iii) make advertising disclosures; and/or (iv) retain records.
- Prize offers online and in social media also require careful structuring to avoid unintentionally forming an illegal lottery.They also need clear and comprehensive “Official Rules.” Companies must avoid requiring a payment or purchase to participate in a prize offer.Furthermore, a few states require registration and bonding for certain prize offers, and many require very specific disclosures in advertisements and on websites.
Though many companies originally may have thought that the impact on their business would be temporary, it is becoming clear that the coronavirus disease 2019 (COVID-19) will have long-lasting effects on businesses in the consumer sector. Where an online presence was an adjunct sales pipeline to a traditional bricks-and-mortar store, restaurant, or gym-front, COVID-19 has now made that alternative channel the primary or even the only way to reach consumers. While we can all look forward to the days when we may once again shop in stores, dine in restaurants, and work out in gyms, until we are released from our isolation we can be grateful for the resilience of the businesses that have adapted.
If you have any questions regarding these new requirements and their implications, please contact any member of DLA Piper’s Consumer Goods, Food and Retail sector or your DLA Piper relationship attorney.
Please also visit our Coronavirus Resource Center and subscribe to our mailing list to receive alerts, webinar invitations and other publications to help you navigate this challenging time.
This information does not, and is not intended to, constitute legal advice. All information, content, and materials are for general informational purposes only. No reader should act, or refrain from acting, with respect to any particular legal matter on the basis of this information without first seeking legal advice from counsel in the relevant jurisdiction.