Comments on Arkansas’ “Online Marketplace Consumer Inform Act” (SB 470)

It’s hard to keep up with the tsunami of new Internet laws at the state level, and I had some difficulty finding the actual text of this law as passed (I couldn’t see it at the legislative website’s page for the bill–so odd). So, three months later, here’s my review of Arkansas’ “Online Marketplace Consumer Inform Act” (SB 470, codified at 4-119-101 to 4-119-105).

What the Law Says

The law regulates “online marketplaces” that “allow for, facilitate, or enable” third-party sellers to “engage in the sale, purchase, payment, storage, shipping, or delivery of a consumer product in the United States” and hosts 1 or more third-party sellers. (A consumer product is “tangible physical property”). The statutory definition is sufficiently imprecise that I’m not sure if online classified ads providers, such as Craigslist, are governed. The references to “shipping or delivery” is nonsensical…does this really reach common carrier package delivery services like UPS? They don’t “host” sellers, but the term “host” is undefined.

The law’s duties apply to “high-volume third-party sellers” who make 200+ sales, totaling $5k or more in gross revenue, in any 12-month period in the past 24 months. However, a seller is excluded if they (1) make available to the general public “the business entity’s name, business address, and business contact information,” (2) have “an ongoing contractual relationship with the owner of an online marketplace to provide for the manufacture, distribution, wholesaling, or fulfillment of shipments of consumer products” [I assume that includes fulfillment by Amazon?], and (3) the info that otherwise needs to be verified has been verified by the online marketplace. [Given the almost 1:1 overlaps with the requirements of every high-volume seller, I didn’t understand the benefit of this purported exclusion.]

Within 24 hours of reaching the high-volume seller quantity thresholds, the online marketplace must require the seller to provide:

• confirmed bank account info (or the seller’s name if it doesn’t have a bank account); and
• if the seller is an individual, a government-issued photo ID with name and address; otherwise, the government-issued photo ID of an individual acting on behalf of the seller or a government-issued record or tax document that includes the business name and physical address; and
• a working email address and working phone number [the statute doesn’t define what “working” mean. I assume it means that emails/calls don’t bounce. But does there have to be a human at the other end actually checking it?]; and
• a tax ID number; and
• whether the seller is exclusively selling on the online marketplace or selling the items elsewhere [I’m not sure why this is required or why this matters to anyone].

The online marketplace must verify all of this info within 3 days. The online marketplace must send an annual notice asking the high-volume seller to update their info or confirm no changes within 3 days of that notice; and the online marketplace must suspend any seller who doesn’t timely respond.

The online marketplace must confirm that high-volume sellers disclose their name in bold on the product listing and the following info on the product listing or in a link:

• full physical address
• “Whether the high-volume third-party seller also engages in the manufacturing, importing, or reselling of consumer products” [again, why?]
• a working phone number and working email address

The disclosure requirements are slightly relaxed for sellers who can show they only work out of the home or only have personal phone numbers.

“An online marketplace shall disclose to a consumer, in a conspicuous manner and in bold print on the consumer product listing of any high-volume third-party seller, a reporting mechanism that allows for electronic and telephonic reporting of suspicious marketplace activity to the online marketplace and a message encouraging individuals seeking goods for purchase to report suspicious activity to the online marketplace.”

Implications

The worst pain points in this law:

• there is no size-based limitation for online marketplaces. As I’ve said before, size-based distinctions don’t cure bad policy. Nevertheless, without it, this law imposes onerous and costly obligations on a tiny marketplace with a single high-volume seller.
• sellers are not going to be thrilled about publicizing their phone numbers and emails. I expect competitors and malefactors will weaponize that information for profit and lulz. It’s also super-helpful for rival online marketplaces who want to try to poach an existing marketplace’s plum vendors. To thwart this, online marketplaces will surely deploy stronger anti-scraping efforts, which might accelerate the development of more anti-scraping jurisprudence.
• online marketplaces are required to provide a phone number for “suspicious marketplace activity.” The law doesn’t require a human at the other end, so I assume most larger online marketplaces will deploy a phone tree with a voicemail box that transcribes user messages into text that can be entered into the standard CSR queue. Even then, it will be a nuisance to deal with the calls that have nothing to do with “suspicious marketplace activity.” The pain will be even more acute for online marketplaces that don’t have the ability to process the incoming calls automatically. They will be effectively forced to provide general phone-based customer support.
• On that point, to the extent that sellers rely on an online marketplace’s internal messaging systems to manage their buyer interactions, having customer support requests submitted via phone or email will put those messages into a different system, creating workflow challenges. For example, if a buyer opens a ticket in the online marketplace messaging system, but then submits additional information related to the ticket via email, the seller may have difficulty collating the information.

I assume online marketplaces will outsource the verification functions to third-party vendors that will provide it as a turnkey service for profit. That will reduce it as a pain point, but increase the online marketplace’s costs. I expect some of these costs will be passed through to the high-volume sellers, many of whom already complain about the fees imposed by the online marketplaces. As a result, this law will hurt smaller high-volume sellers by squeezing their margins at the marketplace AND increasing their costs with all of the phone calls and emails having nothing to do with the law’s purpose.

There’s nothing that limits this law’s applicability to Arkansas. In particular, the law appears to govern all sellers throughout the country, even if the sellers have zero connections to Arkansas (other than listing items in the online marketplace, which itself may not have any physical presence in Arkansas) and never make a sale to an Arkansas resident. For that reason, I think this law would be vulnerable to a dormant Commerce Clause because it seems to have extraterritorial effects by regulating the interactions of sellers and buyers both wholly outside of Arkansas.

I also wonder about the law’s vulnerability to a First Amendment challenge. It requires online marketplaces to disclose information they may not want to disclose, and it requires them to encourage submissions of notices about suspicious activities if the marketplaces don’t actually want to encourage such reports. It also requires them to suspend sellers–which has the consequences of blocking the seller from making any marketplace purchases, and hides any speech that the seller is publishing at that time. The law also indirectly compels individual sellers to disclose information they don’t want to disclose and could have privacy implications (the reduced disclosures partially address the issue, but perhaps not completely). The AFP v. Bonta case raised some interesting issues about mandatory disclosures, especially when there is a privacy angle.

The law raises some Section 230 angles too. It holds online marketplaces liable for third-party content they don’t verify. A decade ago, Section 230 struck down mandatory verification laws regarding commercial sex ads depicting underage models. Though those laws were structured a little differently, I think this law raises the same concerns.

The law mandates the creation of a honeypot of high-value data (such as government issued IDs and tax IDs) that will be of some interest to hackers. However, the law doesn’t impose any data security obligations on online marketplaces. PARTY-TIME! I also wonder how the aggregation and publication of the sensitive information intersects with data privacy laws, e.g., if an online marketplace that also must comply with the CCPA/CPRA.

I’ve heard no chatter at all about the law since it passed. In a quick Google search, I didn’t find any media coverage of it. (I did see this statement from the Toy Association celebrating the law and saying they are working to propagate this model in other states). My guess is that publicly listed services will acquiesce and smaller online marketplaces will ignore it. Thus, there may not be any proactive legal challenges to the law from the online marketplaces (though perhaps a group of sellers may independently push back), and that challenge may come up only after the state tries to enforce the law.

This law partially overlaps with some bills pending in Congress. I imagine the online marketplaces would much prefer a single federal solution than many state variants, so any federal vendor disclosure law would need a preemption clause. However, the federal bills have their own drafting problems, so online marketplaces may not be ready to embrace those enthusiastically.

UPDATE: the Makers and Merchants Coalition is fighting against a federal INFORM Act.