Major Consumer Legislation Adopted In Congress

Originally published December, 2003

• Spam Legislation Adopted in Congress
• House and Senate Reach Agreement on Credit Reporting and Identity Theft Legislation - FCRA Preemption Provisions Extended Permanently

With Congress set to adjourn for the year, deals on two major pieces of legislation have been reached. These two pieces of legislation are significant developments in the areas of electronic commerce and privacy. This legislation, once forwarded to and signed by the President, will ensure national standards for regulation of commercial electronic mail (spam) and key provisions of the Fair Credit Reporting Act.

Both pieces of legislation are particularly timely given pending state action surrounding a January 1, 2004 deadline. California had enacted legislation that would have created an "opt-in" standard for the sending of commercial e-mail. This legislation could have resulted in major costs for businesses both in and out of California, with no impact on eliminating spam. Similarly, there existed preemption provisions of the Fair Credit Reporting Act that were set to "sunset" without further congressional action. Significant rulemaking exists under both pieces of legislation that will further define critical portions of the legislation.

It is remarkable that this year we see state preemption or the "creation of a national standard" in two important pieces of consumer legislation. In both cases, a strong argument was made that we need a national regulatory framework for the Internet and for the credit reporting system. This has been a difficult and hard won process. There has been a high price to pay for this result, particularly in the context of the FCRA.

On Friday, November 21, 2003, the House and Senate reached a deal on S. 877, the CAN-SPAM Act. This deal was reached between Representatives Tauzin, Dingell, Sensenbrenner, Burr, Wilson, and Green and Senators Burns, Wyden, McCain, Hollings, Hatch, and Leahy. The Senate now has adopted this legislation. Since it underwent some changes in the Senate, the bill hopefully will be adopted by the House on December 8, 2003. Congress has considered spam legislation for more than five years. S. 877 is an opt-out law, and it requires that senders of commercial e-mail indicate in the communication that the message is a solicitation. It will set a national standard for the regulation of commercial electronic mail by preempting the more than 30 state spam laws, while preserving state laws addressing falsified spam.

The legislation provides strong new enforcement tools for the Federal Trade Commission, Department of Justice (which has specific authority to bring criminal prosecutions), state attorneys general, and Internet service providers. The enforcement provisions specifically target many of the practices used by the most egregious spammers. Set forth below is a detailed description of the legislation, followed by a description of the rulemakings and studies of commercial e-mail that will follow enactment.

The law will require that all commercial e-mail messages include an opt-out, a physical address, and an indication that the e-mail is a solicitation. The bill leaves it to the sender of the e-mail to determine how to indicate that the message is a solicitation. "ADV" and similar labeling requirements contained in many state laws will be preempted. Moreover, the bill precludes the FTC, in its future rulemakings, from requiring such labeling except in the context of sexually oriented material, although the FTC may study this issue.

These requirements on commercial e-mail will not apply to "transactional or relationship" e-mail messages, such as e-mail about account balances, memberships, subscriptions, or other ongoing commercial relationships that are not primarily solicitations. However, S. 877 will apply to all other commercial electronic mail, defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The version of the bill that passed the Senate last month would have applied to a more narrow category of unsolicited e-mail communications. The companion House spam bills had taken the approach of applying to all commercial messages.

It is of major significance that the new federal spam law will preempt the numerous state laws that have been passed in recent years regulating commercial e- mail. The effective date of S. 877 is January 1, 2004 so that it will preempt the California "opt-in" law that otherwise would have taken effect on the same date. The federal law will preserve state laws "to the extent that" they prohibit falsity or deception in commercial e-mail, as well as state common law rules. Thus, the law will create a uniform national standard for commercial e-mail communications, while preserving important state laws, such as the Virginia state spam law, that have been used successfully in litigation in combating deceptive spam.

The federal spam law contains civil prohibitions against the sending of false or misleading header or transmission information in a commercial e-mail message; against using another computer to relay or retransmit commercial e-mail for the purpose of disguising its origin; and against sending commercial e-mail that includes an originating e-mail address, domain name, or Internet protocol address that was obtained by means of false pretenses or representations. Similarly, it will prohibit the use of deceptive subject headings.

The law will provide additional remedies against those who violate the falsification and deception provisions ("aggravated violations") by "harvesting" e-mail addresses or engaging in "dictionary attacks." Harvesting is the practice of collecting through an automated means e-mail addresses that are posted on websites or online services. Dictionary attacks occur when e-mail addresses are generated by combining names, letters, or numbers into numerous permutations in the hope of generating functioning e-mail addresses. Aggravated violations also exist for the automated creation of multiple e-mail accounts to transmit otherwise unlawful messages and the relay or retransmission of commercial e-mail from computers that have been accessed without authorization.

The law will amend Title 18 to criminalize the most egregious spammer tactics. These include new prohibitions against initiating more than 100 commercial e-mail messages in a 24-hour period involving hacking into someone else's computer to send bulk spam; using "open relays" to send multiple spam with the intent to deceive ISPs or recipients as to the origin of the messages; falsifying header information in spam; registering for five or more e-mail accounts or two or more domain names using false information and then sending multiple spam from these accounts; and falsely representing oneself to be the holder of five or more Internet protocol addresses and sending multiple commercial e-mail messages from such addresses.

Ordinary violations will be misdemeanors. Violations involving hacking, larger numbers of commercial e-mail messages or falsified registration, or loss or gain aggregating more than $5,000 in a year, or a criminal spam organization are punishable by a three-year felony. Five-year felony penalties are available for violations undertaken in furtherance of another felony and violations by someone with a prior offense involving hacking or criminal spam under federal or state law.

The do-not-e-mail registry provision, which had been added by Senator Schumer at the time of Senate passage of the legislation last month, survived. The FTC is required to set forth a plan and timetable for establishing a nationwide marketing do-not-e-mail registry that includes an explanation of any practical, technical, security, privacy, enforceability, or other concerns that the FTC has regarding such a registry. The FTC has the authority, but is not required, to implement a registry.

New provisions regarding mobile commercial messages were added moments before House consideration of the legislation. These provisions will require the Federal Communications Commission to issue rules to "protect consumers from unwanted mobile service communications." Mobile commercial messages are messages that are transmitted directly to a wireless device. The law requires that the FCC define rules that will provide subscribers to commercial mobile services the ability to avoid receiving mobile service commercial messages. The law requires that the FCC consider whether to require providers of commercial mobile services to allow subscribers to indicate a desire not to receive future mobile service commercial messages at the time of subscribing to such service.

The law will require initiators of commercial e-mail that includes sexually oriented material to include in the subject heading specific marks or notices to be created by the FTC, or to ensure that the material in the message that is initially viewable to the recipient when the message is opened include only the mark or notice indicating that the message is sexually oriented; the other required opt-out and inclusions; and instructions on how to access the sexually oriented material.

The law will make it unlawful for a business to promote goods and services in a commercial e-mail sent by others that the business knows violate provisions of the law.

1. General Rulemaking Authority. The law provides the FTC with general rulemaking authority to implement the provisions of S. 877 other than the criminal provisions. There is no requirement for the FTC to undertake a general rulemaking. It is merely authorized to do so. Also, as mentioned above, the FTC is not authorized to issue regulations that would require inclusion of any specific words, characters, marks, or labels in a commercial e-mail message or identification of a commercial e-mail as a solicitation in any particular part of the message.
2. Definition of Primary Purpose. The FTC will define the relevant criteria for determining the primary purpose of an electronic mail message and, thus, what e-mail is regulated by S. 877. This must be completed not later than 12 months after the date of enactment.
3. Time Frame for Honoring Opt-Out. The FTC has authority to modify the 10-business- day period for businesses to honor opt-out requests. There is no time frame set forth, but the FTC must undertake a rulemaking in this area.
4. Prescription of Marks for Sexually Oriented Material. In consultation with the Attorney General, the FTC shall prescribe marks and notices to be included in or associated with e-mail messages that are sexually oriented. These prescriptions must be set forth not later than 120 days after the date of enactment.
5. Do-Not-E-mail Registry. The FTC is required, in a report to Congress, to set forth a plan and timetable for establishing a nationwide marketing do-not-e-mail registry that includes an explanation of any practical, technical, security, privacy, enforceability, or other concerns that the FTC has regarding such a registry. Its report must also include an explanation of how the registry would be applied with respect to children's e-mail accounts. The FTC is not required to implement a registry. This report must be transmitted to the House and Senate Commerce Committees within six months of enactment; the FTC may establish and implement the plan nine months after enactment.
6. Study on the Effects of Commercial E-mail. The FTC, in conjunction with the Department of Justice and other appropriate agencies, shall submit a report to Congress that provides a detailed analysis of the effectiveness and enforcement of the law. This report must be transmitted not later than 24 months after enactment.
7. Reward Report. The FTC must submit a report to Congress that sets forth a system for rewarding those who supply information about violations of this act. This report must be transmitted within nine months of enactment.
8. "ADV" Labeling Report. The FTC must submit a report to Congress that sets forth a plan for requiring commercial electronic mail to be identifiable from its subject line with the characters "ADV" in the subject line, or other comparable identifier; or the report must explain any concerns the Commission has that cause the Commission to recommend against such a plan. This report must be transmitted within 18 months of enactment.
9. Wireless. The FCC in consultation with the FTC shall promulgate rules to protect consumers from unwanted mobile service commercial messages. These rules must be set forth within 180 days - presumably from the effective date.

Over the weekend of 22^nd November, 2003, both the House and Senate passed the conference report on H.R. 2622, the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), H.R. Rep. No. 108-396. The bill now will be sent to the President for his signature.

The Federal Reserve Board and the Federal Trade Commission will have two months after enactment to jointly prescribe final regulations establishing effective dates for each provision of this Act. The effective dates set forth in these regulations shall be no later than 10 months after issuance of the final rules.

One of the key provisions of this bill, a priority that served to catapult this legislation to the forefront of the congressional agenda, extends the federal preemption provisions of the Fair Credit Reporting Act (FCRA) that had been set to expire at the end of this year.

Also included in the legislation are provisions designed to afford consumers new protections against identity theft, including free credit reports annually; a national fraud alert system to minimize damage once a theft has occurred; providing identity theft victims with a summary of their rights; and allowing consumers to block information from being given to a credit bureau and from being reported to a credit bureau if such information results from identity theft.

With respect to free credit reports, the legislation requires Federal Trade Commission rulemaking on several issues including: (1) the establishment of a centralized clearinghouse through which a consumer may obtain a consumer report from a nationwide consumer reporting agency described in section 603(p) of the FCRA; (2) whether credit reporting agencies other than 603(p) CRAs and "nationwide specialty consumer reporting agencies" (603(w) CRAs; see footnote 2 below) should be required to provide free credit reports upon request; and (3) whether these other agencies should participate in the newly created central clearinghouse.

Some of the other highlights include: providing consumers with the ability to opt out of information sharing among affiliated entities for marketing purposes, simplifying the ways in which consumers can limit unsolicited marketing information, requiring CRAs to truncate (display first five digits only) social security numbers (SSNs) upon consumer request in copies of their credit reports provided to them, requiring businesses to truncate credit card numbers and debit card numbers on receipts, providing consumers with broad new medical privacy rights (e.g., requiring the coding of medical information on credit reports), and providing consumers with a one-call-for-all protection by requiring credit bureaus to share consumer calls on identity theft, including requested fraud alert blocking.

The legislation did not include provisions under consideration at various stages of the process on the issues of social security number privacy and confidentiality of credit header information. In addition, the legislation did not become entangled with discussions to amend Title V (the financial privacy provisions) of the Gramm-Leach-Bliley Act, as originally was thought would be the case.

We provide below an overview of some of the key provisions of the legislation and enumerate some of the rulemaking proceedings we believe will be of particular interest.

The FACT Act permanently extends the preemption provisions of the FCRA that were set to expire on January 1, 2004. Of particular concern to industry was that failure to extend preemption would have enabled the states to enact more stringent restrictions than those contained in the FCRA for a laundry list of items, including affiliate sharing and credit prescreening. This legislation preempts state laws concerning the exchange of FCRA information among persons affiliated by common ownership or common corporate control, as well as prescreening - i.e., a consumer reporting agency's (CRA) compiling and selling of names of people who meet specified credit criteria.

Adoption of a nationwide standard also is important for continuing a single standard with respect to certain existing duties, such as compliance duties (time in which a CRA must respond to reports of inaccuracies); user duties (notice and other requirements when a credit report is used for an adverse action); content of reports (length of time negative information can appear on the report); the duties of furnishers (accuracy of information provided, correction duties, notice of closed or disputed accounts); and the disclosures that CRAs must make to consumers.

In addition, these provisions preempt state laws with respect to new duties imposed by the FCRA Act, that is, "conduct required by the specific provisions" enumerated in the legislation. These include requirements in the areas of credit card truncation; social security number truncation in consumer reports provided to consumers; free consumer reports; blocking of information from identity theft; disposal of records; coordination of consumer complaints; repollution of consumer reports; and certain requirements regarding fraud alerts and identity theft.

This section amends the FCRA to require persons that accept credit or debit cards to truncate or mask (display no more than the last five digits of the card) card numbers on electronically printed receipts provided to the card holder at the point of sale or transaction. It also prohibits the printing of expiration dates on such receipts. This requirement does not apply in the context of transactions in which the only means of recording a credit or debit card number is by handwriting or by an imprint or copy of the card.

There is a three-year phase-in effective date for cash registers or machines or other devices that electronically print receipts for credit and debit card transactions if this machine/device is in use before January 1, 2005. There is a one-year phase-in effective date for those machines/devices that are first put into use on or after January 1, 2005.

Of note, as discussed above, this section is one of the sections that is subject to the preemption provisions in section 711. The amended FCRA text thus will now state that no requirement or prohibition may be imposed under the laws of any state with respect to the conduct required by the specific provisions of this section.

Although comprehensive social security number legislation and confidential treatment of credit header information were subjects considered for inclusion at various points in the legislative process, these types of issues ultimately were thought to be better addressed in other legislation. As such, this legislation has only limited reach to SSNs, requiring CRAs upon request to truncate SSNs on copies of credit files provided to consumers.

As part of the summary of rights of identity theft victims, this section establishes a process for identity theft victims to obtain evidence from businesses about fraudulent transactions. It requires businesses that have records relating to a fraud based on an identity theft (applications for credit, records of sales or other documents) to provide, free of charge, copies of these records to the victim within 30 days of request upon verification of the identity of the victim and the claim of identity theft.

To establish that a consumer is an identity theft victim and obtain such information from a business, the consumer must provide the business proof of positive identification (e.g., a government-issued identification card), a copy of a police report, and a standardized notarized FTC affidavit (or other acceptable affidavit).

This section amends the FCRA to require "nationwide credit reporting agencies" described in 603(p) 1 and those covered by section 603(w),² a newly created category entitled "nationwide specialty consumer agency," to provide consumers, upon request, on an annual basis with a free copy of their credit report.

Section 211 requires the FTC to undertake a rulemaking to require the establishment of a centralized source through which consumers may obtain a consumer report from the "nationwide CRAs" (i.e., 603(p) CRAs) using a single request and without charge, and requires consumers to use this source to request the free annual reports from these nationwide CRAs. This centralized clearinghouse must be accessible by toll-free telephone, Internet Web site, and mail.

This section also requires FTC rulemaking to determine whether to require a CRA that "compiles and maintains files on consumers on substantially a nationwide basis, other than one described in section 603(p) of the [FCRA], to make free consumer reports available upon consumer request and if so, whether to make such free reports available through the centralized source …." The factors that the FTC will consider are more industry friendly than those contained in draft versions of the legislation, adding in requirements to consider the costs of providing free access to consumer reports and the effects on the ongoing competitive viability of such CRAs if such free access is required.³

In addition, this section provides the FTC with rulemaking authority to require nationwide specialty consumer agencies (603(w) CRAs) to establish a streamlined process for consumers to request the free annual consumer reports which, at a minimum, will include establishment of a toll-free number to process these requests.

This section also (1) authorizes the FTC to prescribe regulations, within 90 days of the effective date of this section, to prevent CRAs from circumventing or evading treatment as a 603(p) CRA; and (2) requires the FTC to prepare a model summary of rights and actively publicize the availability of these rights.

This section, which is subject to the federal preemption, creates special rules for affiliate sharing for marketing purposes. Specifically, it would require clear and conspicuous consumer notice and an ability to opt out from "solicitationsl"⁴ for marketing purposes when information in reports containing solely transaction or experience information (i.e., non-consumer reports), as well as information in consumer reports, are shared with corporate affiliates. In addition to setting out specific requirements for the notice and its format, this provision contains a limit on the duration of the opt out, making it effective for five years, rather than the permanent opt out that had been under consideration. It does, however, require consumer notice upon expiration of the effective date.

This section contains six exceptions to the affiliate- sharing notice-and-opt-out requirements: for a "pre- existing business relationship";⁵ for employer communications to participants or beneficiaries of an employee benefit plan; for service providers that are corporate affiliates; for responding to a consumer- initiated communication; for responding to solicitations authorized or requested by the consumer; or if a person's compliance with this section would prevent compliance with any provision of state insurance laws pertaining to unfair discrimination.

This section also provides the federal banking agencies, the National Credit Union Administration, and the FTC with rulemaking authority to promulgate rules within nine months to implement this section. Potential expansion of the definition of "pre-existing business relationship" is among the issues to be included in the rulemaking.

The rules are to be effective not later than six months after publication of the final regulations. These rules will not apply retroactively; that is, requirements do not apply to the use of information to send a solicitation to a consumer if such information was received prior to the date on which persons are required to comply with the implementing regulations for this section.

Following is a list of some of the rulemakings that may be of particular interest:

1. Federal Reserve Board and FTC rulemaking on the effective dates for the provisions of the legislation (Section 3).

2. FTC rulemaking on the term ieidentity theftli (Section 111).

3. FTC rulemaking on what constitutes appropriate proof of identity for fraud alerts, information blocking, and truncation of SSNs on consumer credit reports (Section 112).

4. Free Credit Report rulemakings (Section 211); FTC rulemakings on:

• establishment of a streamlined process for free credit reports to be provided by 603(w) CRAs;
• preventing a consumer reporting agency from circumventing or evading treatment as a 603(p) CRA;
• the establishment of a centralized source through which consumers can request free credit reports from 603(p) CRAs; and
• whether to require a CRA that compiles and maintains files on consumers on substantially a nationwide basis, other than those described in 603(p) to: (i) make free reports available upon request; and, if so, (ii) whether to make such reports available through the newly established centralized source.

5. Federal banking agencies, National Credit Union Administration, and FTC joint rulemaking on the affiliate sharing rules for marketing solicitations (Section 214).

1. Section 603(p) of the FCRA defines a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis to mean "a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:

2. Nationwide Specialty Consumer Reporting Agency is defined as a CRA that "compiles and maintains files on a consumers on a nationwide basis relating to-(1) medical records or payments; (2) residential or tenant history; (3) check writing history; (4) employment history; or (5) insurance claims."

3. Following is the full list of factors the FTC is to consider in determining which entities should provide free reports and whether to include them in the clearinghouse: (i) the number of requests for consumer reports to and the number of consumer reports generated by the CRA, in comparison with 603(p) and (w) CRAs; (ii) the overall scope of the operations of the CRA; (iii) the needs of consumers for access to consumer reports provided by CRAs free of charge; (iv) the costs of providing access to consumer reports by CRAs free of charge; and (v) the effects on the ongoing competitive viability of such CRAs if such free access is required.

4. Solicitation is defined as the "marketing of a product or service initiated by a person to a particular consumer that is based on an exchange of information described in subsection (a), and is intended to encourage the consumer to purchase such product or service, but does not include communications that are directed at the general public or determined not to be a solicitation by the regulations prescribed under this section."

5. Pre-existing business relationship is defined as "a relationship between a person, or a person's licensed agent, and a consumer, based on -