UNITED STATES FEDERAL TRADE COMMISSION
NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE
I am submitting these comments on various aspects of the Electronic Signatures in Global and National Commerce Act ("ESIGN" or "the Act"), Pub. L. No. 106-229, in response to the Notice Requesting Public Comment and Academic Papers and Announcing Public Workshop published by the Federal Trade Commission ("Commission") and the National Telecommunications and Information Administration of the Department of Commerce ("NTIA"). I am an attorney with the firm of Paul, Hastings, Janofsky & Walker LLP, practicing in the area of technology & e-commerce law and policy in Washington, DC. Although I was actively involved in the legislative process surrounding ESIGN on behalf of an online financial services company and have advised several online and e-commerce clients on compliance with and the ramifications of ESIGN, I submit these comments solely on my own behalf. These reflect only my personal views and reflections, not those of any client or of Paul, Hastings. Further, although it should go without saying, nothing in these comments constitutes or should be regarded as legal advice or other advice of counsel, and, thus, any reliance thereon is at the reader's own (considerable) risk. Such advice can be rendered only upon an analysis of the specific facts and circumstances evident in a given situation.
Introduction and General Observations
1. In providing these comments, I generally address the issues implicated by Issues 1-5 ("General Issues") and 25-28 ("Technology Issues"). The remaining issues presented seem addressed specifically to business or consumer commenters, although, in the course of my comments, I will touch on some of the substance of the concerns raised in those issues as well.
2. Let me first point out the obvious: that ESIGN, including its consumer consent provisions embodied in section 101(c)(1), represents a compromise between the perspectives of industry, which demanded a workable non-regulatory solution that would not erect rigid barriers to e-commerce, and of consumer groups, which were concerned with the potential for abuse of vulnerable members of the public. Nowhere is that compromise more sharply defined than in section 101(c)(1)(C)(ii). But, first, let's take a quick look at the overall consent provisions of § 101(c)(1) to provide some context. (For the reader's information, I also include at the end of these comments an addendum with some further thoughts on the consent provisions of the Act.)
The Consumer Consent Provisions of ESIGN: What They Say
3. Although ESIGN represents a watershed in legal recognition of electronic media, there remained at the time of its passage (and still today) considerable discomfort on the part of consumer groups, regulators and others regarding the implications of this electronic revolution. For that reason, Congress expressly stipulated that nothing in the Act undermines or supersedes existing consumer protection laws, other than the simple requirement of a paper "writing." Moreover, the Act imposes additional requirements that apply only to consumers and that were intended to address what legislators believed were new hazards uniquely associated with the electronic medium. These protections are primarily designed to ensure knowing and meaningful consent to the use of the electronic medium.
4. Where a statute, regulation, or other rule of law requires that information relating to a transaction be provided to a consumer in writing, the writing requirement is satisfied by provision of an electronic record if the consumer "affirmatively" consents to use of the electronic record. § 101(c)(1).
5. Affirmative consent is obtained by:
6. In addition, any time the record provider changes the technical requirements for accessing or retaining the records in a way that creates a "material risk" that a consumer will not be able to access or retain subsequent records, the provider must obtain a new consent to continue providing the records electronically.
Section 101(c)(1)(C)(ii): Electronic Consent
7. It is the last step on the list above, number (7), that is encapsulated in section 101(c)(1)(C)(ii) of the Act and that has occasioned the most vigorous debate in Congress and consternation among some in industry who otherwise supported ESIGN. The manner in which consent is obtained (or confirmation of consent in situations where consent is first obtained on paper) must reasonably show that the consumer actually can access the format that will be used for the records. But has this language been interpreted rigidly to mean, for example, that the actual "manner" of consent itself must "demonstrate" this ability? Must something about the method used by the merchant or record provider intrinsically "demonstrate" in some reasonably objective way that the consumer is able to access the record provided? That truly would represent a difficult standard. Put another way, has this provision turned out as badly as some feared? The answer, I believe, is "not yet."
8. There is no question that, in many instances, the electronic consent provision imposes an additional step in the online relationship that B2C merchants or service providers must accommodate. This entails some design effort and expense. Nevertheless, I believe the impact of the provision is not nearly so negative as some have feared for several reasons.
9. First, although not in itself sufficient reason to embrace the provision, it is worth pointing out that this provision, like the remainder of the consent provisions, is best understood as a "safe harbor," not an obligation. The Act states that an electronic version of a record that must be provided in writing "satisfies the requirement that such [record] be in writing if" the consent provisions are met. § 101(c)(1). It does not say that, if those provisions are not met, consent cannot be shown some other way and that the electronic delivery will be deemed per se insufficient. Nevertheless, in the real world, businesses don't like to take risks, and I don't know many attorneys who would advise their clients to rely on that alone as a basis to ignore or not to worry overmuch about the consent provisions.
10. A more important basis for my belief that the electronic consent has not yet proven to be the bugaboo many thought is that it is clearly possible to accommodate consumer advocates' concerns that consumers be treated fairly without creating undue difficulty for the merchant, and, in the absence of real abuse, there seems to be no appetite (so far) among regulators or law enforcement to pursue electronic record providers based on possible but hyper-technical readings of the statute. In short, for now, everyone seems to be approaching the matter with at least a modicum of common sense.
11. For example, here are two relatively simple procedures that I believe comply with the provision:
12. The key in both examples is that the subsequent conduct of the consumer necessarily demonstrates that the consumer read and understood the request and, thus, can access and read the records provided her. In each example, particularly the second, it arguably is not the "manner" in which the consent was obtained that provides that demonstration. Thus, reading the electronic consent provision literally, neither procedure may pass muster, but no "reasonable regulator" or consumer advocate would have grounds to protest (or, to my knowledge, has as yet). One qualifier, for the sake of completeness: Of course, in either illustration the format used should be one in which the ability to access necessarily carries with it a corresponding ability to print or save the document, in order to satisfy the "retention" portion of the statutory provision (requiring ability both to access and retain).
13. In sum, then, while the consent provisions in ESIGN may represent at their extremes somewhat of an "over-regulatory" approach, the potential for counter-productive over-regulation has not materialized - largely because, I suspect, most participants in the ESIGN debate meant what they said. Industry stated it had no intention of deceiving consumers and that it was in businesses' interest to make their customers comfortable with the online medium. Consumer groups responded that they had no interest in persecuting reputable businesses but wanted protection against the unscrupulous. And, so far, at this very early stage, that's exactly how it has played out.
14. That's not to say there aren't grounds for concern, however. In particular, the failure of the ESIGN conference committee to agree on a committee report explaining some of the frustrating ambiguities in ESIGN was disappointing. Even worse was the plethora of often-conflicting statements inserted into the record by individual legislators, each purporting to reflect the intent of the conference. The resulting confusion has led to some mischief, although principally in areas other than consent. One example: the "guidance" on the Act published last year by the Office of Management and Budget ("OMB"). In its release, OMB relied extensively on interpretations of the Act that, to put it charitably, represented at best the views of a minority of legislators who supported ESIGN and that, if widely embraced, could lead to dramatically more regulation than was anticipated at the time of the Act's passage. Nonetheless, those fears remain theoretical at present, with no indication, in the consent area at least, that they will be realized. (An area of greater concern, outside of the scope of this proceeding, is how state and federal agencies accommodate the Act's record retention provisions and whether they resist the Act's mandate.)
15. In the Request for Comment, the Commission and NTIA raise several "technology issues" on which they request comment. Among these are questions regarding whether software programs and technology needed to implement the electronic consent provision are readily available and how companies are able to verify the identities of the consumers providing their consent. I will touch briefly on each.
16. The answer to the first question is implicit in the above discussion: because common-sense solutions to dealing with the consent provisions are relatively simple, the technology needed is similarly simple. Depending on the implementation, it is quite possible that no "special" software is required. To the extent some e-commerce providers do require more sophisticated or expensive alternatives, that is often a function of a variety of factors of which the consent provisions are only a minor part. Other, more important objectives include, for example, the need to ensure the security and integrity of important data.
17. As for identification of the consumer providing the consent, that also is but a subset of a much more important issue: the e-commerce merchant or service provider must be sure of the identity of the consumer with whom it is interacting in order to conduct business. The fact that ESIGN contains a provision directing that consent be obtained electronically from that consumer is a distinctly subsidiary concern in the face of the much larger business imperatives pushing in the same direction.
18. In any event, my understanding is that many, if not most, e-commerce businesses rely on external identifiers provided by the consumer that are generally regarded as reliable indicia of identity, such as social security number, credit card number, professional license identification, home address, and the like. Admittedly, all of this information is susceptible of misappropriation. This is why for more sensitive applications firms will not rely only on these indicators. Other, very innovative solutions have begun to appear on the market. For instance, credit reporting agencies now are able to verify, in real time, information supplied by a consumer in response to a series of questions and project, with a high degree of confidence, that the consumer is who she says she is. But again, it bears repeating that businesses adopt this and other technologies not because of ESIGN, but because of their business needs. It is this more than anything else that truly attests to ESIGN's success - it has allowed e-commerce companies to comply with its dictates (or safe harbors, as the case may be) while working minimal intrusion on their business decisions.
19. This important fact illustrates dramatically the importance of ESIGN's embrace of technology neutrality and vindicates the struggles of those who fought so hard to ensure that the Act adhered to that principle. Had the Act attempted to impose a particular technology, it would have become unworkable as companies which had settled on processes with which they were comfortable for their business operations suddenly realized that for the ancillary purpose of obtaining ESIGN-approved consents, some other technology was required.
20. Indeed, the most obvious candidate for a "technology selection" had ESIGN adopted such an approach would have been public key infrastructure, or PKI. Yet, today, while the use of PKI is growing, it is not widespread on the Web, and, if anything, is finding favor more in the B2B context than in the B2C.
21. In sum, I believe we can conclude the following:
22. First, the consent provisions so far seem to be serving their purpose. They afford protection to consumers from those who would attempt to take advantage of the vulnerable or unsuspecting while not imposing a significant burden on business. As explained above, the potential for mischief remains - an unfortunate by-product of the last-minute compromises that led to ambiguity in the statutory language and the accompanying conflicting and contradictory legislative history. Yet, so far those difficulties remain largely hypothetical.
23. Second, the consent provisions themselves demonstrate the importance of technology neutrality in e-commerce legislation. Technological limitations today are overcome by the new products of tomorrow. Industry's varied and nuanced implementations of ESIGN point to the benefits served by Congress' refusal to mandate the use of a particular technology to accomplish its statutory objective. Were government instead to have granted its legal imprimatur to a single technology, that technology rapidly would have become a millstone to the online world and either acted as a drag on its expansion or led to widespread disregard for the Act's consent provision altogether.
24. Third, ESIGN simply is still new. Its record retention provisions have not even taken full effect, and its consent provisions are only four and one-half months old. That is far too soon to draw any definitive conclusions about whether changes are needed.
25. For all of these reasons, I think it is premature to talk of re-opening ESIGN to "fix" some of its admitted deficiencies. Re-opening the Act could lead to its becoming "worse" (however one were to define what that would be). Instead, it seems wisest to let matters sit, let experience with the Act accumulate, and, once a sufficient amount of time has passed, make an informed determination as to whether amendment is necessary. Such a "time-out" would serve the interests both of consumers and industry. It would allow consumers to become more comfortable with the new technologies and to identify in a sober fashion precisely what aspects of the online world (if any) concern them. And it would allow industry time to make those consumers comfortable, educate them as to the immense benefits of electronic media, and blunt the accusations of the most extreme among consumer advocates. ESIGN so far has been an imperfect but ultimately positive experiment. Let's not tamper with it just yet.
Addendum: FAQ ON CONSUMER CONSENT
26. As an addendum to these comments, I include, for the reader's information only, a short "Frequently Asked Questions" (or "FAQ") on ESIGN's consumer consent provisions that I have prepared previously.
27. When is Consent required?
Whenever the law requires that a contract or record be provided or made available to a consumer in writing and you want to do so electronically, you must obtain the consumer's consent.
28. What must I do?
Get affirmative consent from the customer, either electronically or on paper. The request for consent must:
29. Are there any special rules if I obtain a consent on paper?
You must obtain confirmation of that consent electronically.
30. How must I obtain consent or confirmation of consent electronically?
Possibilities include (but are not necessarily limited to):
Of course, in either illustration the format used should be one in which the ability to access necessarily carries with it a corresponding ability to print or save the document, so that demonstrating that the customer can access the document also means that she can save or print it.
31. What if I update or change the format or manner in which electronic records are provided?
Whenever you change the technical requirements for accessing or retaining the records, you must assess whether that change creates a "material risk" that a customer who previously has been able to access the records in their older format will not be able to access or retain subsequent records using the new method or format of delivery. If such a risk exists, you must obtain a new consent to continue providing the records electronically.
32. What obligation do I have to ensure that my customer receives the records?
In most instances, you have no obligation to ensure receipt. However, you should not ignore or "willfully blind" yourself to evidence of non-receipt (e.g., receiving an "undeliverable" message in response to attempts to deliver a record to a particular customer electronically). Where you have knowledge or reasonable grounds to suspect lack of receipt, you should re-send the record in paper form.
If the underlying law requires that a record be delivered via certified mail, or through some other means that enables the provider to receive an acknowledgment of delivery or receipt, you must ensure that the electronic delivery provides a similar acknowledgment.
The precise extent of your obligation to effect and verify delivery in a given circumstance will depend on the underlying laws or regulations that apply to your transaction. You should consult with counsel to ensure compliance with those requirements.
33. Must I re-deliver records already delivered electronically, if the consumer withdraws consent?
No. A withdrawal cannot be retroactive. It applies only to records not yet delivered at the time the withdrawal is implemented. However, you must implement a withdrawal expeditiously.
34. Must I provide a paper copy of a record upon request?
The Act is unclear regarding whether making available a paper copy is required, but it is probably advisable. You must explain in your request for consent how a consumer may request a paper copy and whether a fee will be charged for such copy. (You need not, and should not, specify the amount of the fee in the request for consent, as that amount likely will change over time, and if you include it in the request, any such changes might be prohibited.)
35. Am I obligated to start or continue doing business with someone who refuses to consent to contract or receive records in electronic form?
You are under no obligation to initiate a relationship with someone who refuses to interact electronically, provided that you explain that consequence of refusal in your request for consent.
You also are under no obligation to continue doing business with someone who withdraws her consent, except that you must continue to provide any records for which you already have incurred the obligation to deliver as a result of previously initiated transactions. If the customer withdraws her consent, you must deliver those remaining records on paper.
36. Behnam Dayanim is an attorney in the Washington, DC, office of the international law firm of Paul, Hastings, Janofsky & Walker LLP. He practices extensively in the areas of technology and e-commerce law and policy, concentrating in the areas of electronic transactions, privacy, and encryption, as well as in intellectual property and in the drafting and negotiation of a wide range of technology-related agreements. Mr. Dayanim was heavily involved in the formulation and legislative consideration of ESIGN, representing CSFBdirect Inc. (then DLJdirect Inc.) and participating in a coalition of technology and financial services companies. He also has been published and spoken frequently about the Act.