The European decision also points out the increasing legal split between U.S. and European E-Commerce requirements. For example, in the U.S., one-click checkout requires a license from Amazon, but cookies can be used routinely for customer tracking. In Europe, 1-Click is unpatented, but many cookies will soon require an opt-in in E.U. countries. The further the two markets drift apart legally, the more complicated cross-border E-tailing becomes.
The 1-Click rejection came after a patent appeals board decided 1-Click lacks an "inventive step," in part based on information from U.S. magazine articles published in 1996 and 1997 about using cookies and shopping carts in E-Commerce. Although Amazon's approach went farther "to reduce the number of user interactions involved in selecting items, which makes E-Commerce easier, faster and more comfortable, and also to reduce the amount of sensitive information sent over the Internet, which may be intercepted, in the Board's view the skilled person would have tried to solve these problems because they are both explicitly mentioned" in one of the magazine articles, the board concluded.
"The obvious trade-off between the two processes, namely security vs. simplicity, cannot establish an inventive technical contribution," the appeals board added. That might be a novel business process that's patentable in the U.S., but it's not enough for a European patent.
That decision widens the gap just a little more between what's legally required for U.S. online retailers and those in Europe. Over the past few years, the EU has passed a series of privacy and consumer-protection regulations that have tightened up what's allowed in Europe. Most of those new rules still have to be converted to laws by EU member nations. But as that happens, things will get messy.
The most potentially ugly regulation has to do with cookies. According to a privacy regulation that was supposed to be implemented in most EU countries by May (but hasn't been yet by most countries), a Web site must get permission in advance for any cookie that isn't required by a customer-initiated action. In practice, that means a cookie that remembers what the customer has in a shopping cart is probably OK. But for any more sophisticated tracking, the customer must opt in.Other consumer-protection rules in the European pipeline include regulations that cover how and when a company must report a data breach, others that specify how long customers have to cancel orders when ordering from an E-tailer in another EU country (14 days) and the maximum time the E-tailer has to deliver the goods (a month).
In principle, those rules won't affect U.S. E-tailers shipping to Europe, just as the patentless status of 1-Click in Europe theoretically won't affect European E-tailers with U.S. customers. And that may be true (although both patent lawyers and governments can try to reach outside their jurisdictions).
In practice, though, many U.S. retailers use foreign subsidiaries to simplify E-Commerce issues. Does that subject a U.S. E-Commerce site to those EU cookie laws, even if that's not the site a European customer is intended to order through?
What about U.S. retailers that use companies like FiftyOne to handle currency and customs issues for overseas customers? Does that create a strong enough connection that EU cookie law kicks in? If a third party provides the same type of service without a formal connection to the retailer, could that drag a U.S. retailer into European trouble?
Now flip that: What if a U.S. retailer decides to get around U.S. E-Commerce-related problems, including threats from patent holders ranging from Amazon to Microsoft co-founder Paul Allen, by moving its E-Commerce servers to Europe? After all, Europe is now a 1-Click-free zone. Would those E-tailers have to comply with EU cookie laws if they're only selling to customers in the U.S., not to those in Europe?
Or what happens if those servers are in the cloud? They might be in the U.S. or in Europe or even somewhere else. Which laws apply then?
If U.S. and European E-Commerce laws were reasonably close—or at least getting closer—this might be academic. But that's not the case, and there's no reason to think these two big markets will line up more closely in the future without a lot of effort.
That means the prospect of either pulling back from any cross-border sales or trying to satisfy both sets of requirements. In some areas, like reporting security breaches, going global may be unavoidable. But when it comes to patents and cookies, that's going to be a hard choice to make.