Comments on HB 5502, the “INFORM” Act

Today, the House Energy and Commerce Committee is marking up the INFORM Act (I think this is the latest version but who knows). The INFORM Act is like a “know-your-customer” (KYC) law for sellers in online marketplaces. It iterates on a similar law enacted earlier this year in Arkansas; and it’s a partial substitute for the SHOP SAFE Act, one of the worst proposals to “fix” the Internet that Congress has considered. Because this law is primarily disclosure-focused, it’s not as toxic as harsher substantive regulations (such as SHOP SAFE).

Relying on the pretense that the bill is not controversial, the bill sponsors are trying to attach it to the must-pass NDAA bill, even though the bill has absolutely nothing to do with national defense. (Recall that less than a year ago, then-Pres. Trump vetoed the NDAA because it didn’t contain a full repeal of Section 230. Fun times). The procedural move will cut short further evaluation and refinement of this bill. For reasons described below, the bill would benefit from more scrutiny, not less.

Who’s Covered by the Bill

The bill applies to online marketplaces and high-volume sellers.

The bill defines “online marketplace” as “a consumer-directed electronically based or accessed platform that—(A) includes features that allow for, facilitate, or enable third party sellers to engage in the sale, purchase, payment, storage, shipping, or delivery of a consumer product in the United States; (B) is used by one or more third party sellers for such purposes; and (C) has a contractual or similar relationship with consumers governing their use of the platform to purchase consumer products.” [As I mentioned with the Arkansas bill, the disjunctive references to “storage, shipping, or delivery” make no sense. If an entity used the service purely for delivery, it seems like bill shouldn’t apply? Note that there is no size-based distinctions for online marketplaces, so this law applies to any marketplace that has a single high-volume seller and treats them the same as Amazon.]

According to the bill, a “high-volume seller,” “in any continuous 12-month period during the previous 24 months, has entered into 200 or more discrete sales or transactions of new or unused consumer products and an aggregate total of $5,000 or more in gross revenues” that the online marketplace financially processes. [So I assume any direct consumer-to-seller payments don’t count, even if brokered by the marketplace. One question I’ve wondered is how an online marketplace at scale will know if an item sold is new, unused, or used. I assume the marketplaces will simply count a seller’s total transactions/revenue, regardless of what was being sold].

What’s Required of Online Marketplaces

The bill has four main obligations: (1) marketplaces must collect information from high-volume sellers, (2) marketplaces must verify the information, (3) marketplaces must make high-volume sellers disclose contact info to consumers, and (4) online marketplaces must enable electronic and telephonic reporting of “suspicious activity” in the marketplace. More details about these obligations:

Information Collection/Verification. An online marketplace must collect the following info from high-volume sellers: (1) the seller’s bank account number, (2) for entities, a government-issued ID for a representative or government-issued record or tax document showing the entity’s business address, (3) tax ID number, and (4) working phone number and email address. Every year, the online marketplace must ask sellers to refresh their information. The online marketplace must suspend any seller who doesn’t comply.

The online marketplace is required to verify the high-volume sellers’ information, but it can rely on any government-issued tax documents (but apparently not other government-issued documents). [As I mentioned in my Arkansas post, the verification requirement raises significant concerns about scalability. It might create a new market niche for third-party services to do verification work, but that will increase total compliance costs.]

The bill says online marketplaces can’t use the seller-supplied information for secondary purposes and must deploy reasonable security procedures and practices to protect the collected info.

Disclosures to Consumers. An online marketplace is required to collect the following information from high-volume sellers with over $20k of annual sales and then disclose the following information “in the order confirmation message…and in the consumer’s account transaction history” [note: this limited-audience disclosure is an improvement on the Arkansas bill, which requires public disclosure that is even more privacy-invasive and creates a honeypot for competitors, data miners, and malefactors]:

  • the seller’s full name.
  • the seller’s physical address, unless the seller doesn’t have a separate business address, in which case the seller can disclose just the state/country. If the seller has a separate business address for returns, the seller can just disclose that.
  • “contact information for the seller, to allow for the direct, unhindered communication with high volume third party sellers by users of the online marketplace,” including a working phone number or working email address. [There appears to be a drafting ambiguity whether the seller must disclose both a phone number and email address; to me, the drafting is clear that either complies]. If the seller doesn’t have a separate business phone number, it can only disclose its email address [but this doesn’t make sense in light of the drafting ambiguity].
  • “Whether the high-volume third party seller used a different seller to supply the consumer product to the consumer upon purchase.” If so, authenticated purchasers can request that seller’s name, address, and contact info.

If a seller gets the concession to display less than its full info, but either lied about its situation or “has not provided responsive answers within a reasonable time frame to consumer inquiries submitted to the seller,” then the online marketplace must suspend the seller until full disclosures are made. [Not sure what a “reasonable time frame” for responses will be. I assume online marketplaces will treat any complaints about a seller’s turnaround time as dispositive evidence of noncompliance and suspend the seller.]

Mechanism for Reporting Suspicious Activity. “An online marketplace shall disclose to consumers in a clear and conspicuous manner on the product listing of any high-volume third party seller a reporting mechanism that allows for electronic and telephonic reporting of suspicious marketplace activity to the online marketplace.” [I’m sure every online marketplace will be overjoyed to receive these reports. Remember what happened when people reported “suspicious” neighborhood activity on Nextdoor? RACISM. In this context, it’s likely that: competitors will try to game each other through these notices; IP owners will treat the notice mechanism as a queue to submit takedown demands and cite any failures to honor their “notices of suspicious activity” as proof of scienter in their lawsuits; and consumers will treat this as a general-purpose customer support queue. Also, the SHOP SAFE Act has a misdrafted attempt to impose liability for submitting bogus reports. The INFORM Act should add such a provision, but draft it properly.]

Enforcement. Enforcement is by the FTC, state AGs, and “any other officer of a State who is authorized by the State to do so.” [Who are these latter folks? This is a highly unusual provision that needs more explanation.]

Preemption (Sort Of). “No State or political subdivision of a State, or territory of the United States, may establish or continue in effect any law, regulation, rule, requirement, or standard that conflicts with the requirements of this section.” [I’m not a preemption expert, so I’m not sure how far this goes. I believe this means states can adopt identical “baby” versions of this law with their own enforcement mechanisms. Does this preemption clause otherwise prevent states from imposing greater obligations than INFORM? Does this preemption clause preempt Arkansas’ law? Knowing about the states’ interests in passing heterogeneous laws, Congress should mandate a single national standard.]

Implications

Low-Hanging Fixes. The bill fixes a few parts of the Arkansas law, but it still could be easily improved:

  • Get rid of the references to “storage, shipping, or delivery” in the definition of “online marketplace.”
  • Consider adding a minimum number of high-volume sellers before an online marketplace must comply. Without that, the law inevitably imposes significant compliance costs on marketplaces that can’t afford it.
  • Fix the drafting ambiguity about phone/email disclosures.
  • Add significant deterrence and punishment for submitting bogus “suspicious activity” reports to deter misuse of that queue.
  • Get rid of the weird language about other state enforcers beyond the AGs.
  • Make the preemption clause clearer so that it preempts all state efforts to regulate in this area.

Is the Bill Constitutional? It’s tempting to believe that this bill could survive a constitutional challenge. Disclosure laws often do, and in this case, the law might only trigger intermediate scrutiny due to its commercial context. (I don’t think the disclosures are actually “commercial speech,” but because they are linked to commercial speech, I think they would get similar treatment).

However, don’t lose sight of what the law is really saying: sellers get the right to publish their constitutionally protected ads only if they verify their identity and make other unwanted disclosures; and the “publisher” (the online marketplace) must suspend future publication rights if the sellers don’t authenticate. Framed that way, the law raises obvious constitutional problems as attacking both free speech and the right to anonymous speech. Indeed, a decade ago, laws requiring the age authentication of models in prostitution ads were struck down as First Amendment violations.

Further, these mandatory prophylactic disclosures apply to high-volume sellers who are selling products of all sorts, including products that have no particular reason to generate concerns about consumer safety, IP violations, or other justifications for “just-in-case” intrusions. As Cathy Gellis explains, to the extent the products being sold include First Amendment-protected speech (such as books, music, movies, art, etc.), the mandatory disclosures seem even more problematic.

I don’t know who would bring a constitutional challenge. The Arkansas law raises similar concerns, and I didn’t hear a peep about a constitutional challenge. If the major online marketplaces plan to acquiesce to the law, then any challenge would fall onto smaller services, individual sellers, or third-party groups. It’s possible Congress will get away with any constitutional violation due to a lack of challengers or their possible problems with standing. Even if there’s never a challenge, we should be concerned any time a legislature so casually looks past possible First Amendment problems.

What Effect on Competition? Disclosure-based laws impose operational and compliance costs on the regulated entities. Typically, these costs disproportionately hurt smaller players who don’t have economies of scale and can least afford the costs. Will the major online marketplaces acquiesce to this bill because they are OK that Congress will be raising barriers to entry and hobbling their competitors?

In particular, I have repeatedly raised the possibility that Amazon will shift all of its operations to 100% retailing and wind down its online marketplace. If that’s Amazon’s end game, then increasing the costs of operating online marketplaces hurts Amazon’s competitors, not Amazon. Could Amazon be playing  3D chess here, and are the legislators their pawns in that game?

What Do Privacy Advocates Think? This bill requires sellers to disclose highly sensitive personal information to online marketplaces and consumers that the sellers don’t want to provide and the online marketplaces don’t want to get. The bill gestures towards privacy and security, but as privacy mavens know, the best way to avoid privacy and security risks is to not collect the information in the first place. Indeed, Congressmembers have been highly critical of the privacy-invasive activities of “Big Tech”–yet schizophrenically, Congress simultaneously would be demanding that some of those same entities collect MORE sensitive information. I’m a little surprised that the privacy community isn’t sounding a red alert about this bill. For example, the GDPR tanked the WHOIS database (a public database of contact information about domain name buyers), and the INFORM Act is way more privacy-invasive than the WHOIS database ever was.

The Camel’s Nose. Make no mistake: the push for KYC-on-the-Internet won’t stop here. I believe this would be the first time that Congress has imposed identity verification requirements on Internet players who do not have similar requirements in the offline world. If this passes, it won’t be the last. You can bet the intellectual property lobby is licking its chops for more identity verification requirements. The SHOP SAFE Act was one such initiative. It’s also easy to imagine a 512 reform that says service providers won’t qualify for the safe harbor unless they can turn over authenticated contact information for alleged infringers. So many Internet critics would love to see every Internet user have a “driver’s license for the Internet”– thus eliminating all unattributed activity on the Internet. You might think this bill only targets online marketplaces, but it’s likely the camel’s nose towards a more dystopian Internet.

For another take on the bill, see Cathy Gellis’ writeup at Techdirt.

Prior Blog Posts on the 117th Congress’ Efforts to Kill the Internet