Discussions about "Big Brother" and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn't evil at times, but these days it's the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.
Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers.
The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company's physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.
As noted by New York law firm Hunton & Williams, "Minnesota law currently codifies certain select PCI DSS requirements. The new Nevada law is significantly more comprehensive, however, since it adopts the PCI DSS in its entirety by reference."
On the same day, a new data protection law goes into effect in Massachusetts. It has been described as one of the toughest such laws in the world.
(Not all state efforts are frightening retailers. See our related story about state attorneys general trying to discipline TJX this week. The Keystone Cops are more frightening.)
Meanwhile, E-Commerce players, such as Amazon.com, are battling it out with states over sales tax collection. In a letter it reportedly sent Monday (June 22) to California legislators, Amazon threatened to stop doing business with its marketing affiliates in the Golden State if it is forced to collect sales taxes there under a proposed law, similar to one it's fighting in New York, that it believes to be unconstitutional.
The passage of bills like these, which usually differ (often slightly and sometimes largely) from other states' regulations, has created a dizzying patchwork of often conflicting state laws, regulations and proposals. Learning about, lobbying for or against and eventually complying with these government initiatives puts a financial and logistical strain on even the largest retailers and their IT departments. Doing so can be enough to quash expansion plans by smaller players.
"It's extremely difficult to keep up with all the state announcements," said lawyer Lisa Sotto, a partner in the New York office of Hunton & Williams and head of the firm's privacy and information management practice. "There are 47 states and other jurisdictions with data breach notification laws and they're all a little bit different. The same tenor is followed in all these laws, but the verbiage differs and some of them are substantively quite different. So we are dealing with a non-harmonized regime on the state level. It's impossible, it really is."Retailers must also stay abreast of efforts by states to restrict new technology, such as RFID. Even when retailers convinced one state to back off such efforts, other states tend to take up the cause. For example, although New Hampshire backed away from its controversial efforts to regulate RFID, and agreed to study the technology before acting, Washington State, in April, adopted a precedent-setting RFID law.
Meanwhile, revenue hungry state administrations are pushing to tax Internet sales and vote-conscious legislators, perhaps leveraging constituents' fear of identity theft, are imposing various measures to protect citizens from data breaches.
"Not only do retailers have to worry about the state regulations but also, when they accept payment cards, they have to worry about PCI and requirements from Visa and MasterCard that are always changing," said Philadelphia lawyer Andrew Baer, a specialist in technology, e-commerce and information security law. "I think we do need some sort of nationalization on a federal level. Retailers have to look to the states first now but hopefully they will get some federal legislation that will preempt all these state laws."
Maureen Riehl, vice-president of the National Retail Federation's government and industry relations council, doubted Uncle Sam will be soon coming to retailers' rescue with over-riding federal regulation for most of the issues now being tackled individually by the states. Congress, often made up of former state politicians, is not keen about circumventing state sovereignty when it comes to regulating business, she said.
"As a retailer, when you decide to grow your footprint across more than one state line, it is more than likely going to be a major investment for you just to keep track of the business-related issues as you cross those state lines," Riehl said. Most major retailers have full-time teams that keep track of legal and regulatory actions by states. These specialists "not only alert the company to things they should be sensitive about, with the disparate state laws, but they also provide, in many ways, an opportunity to build relationships (with state officials) so they can inform regulators and policy makers why something they want to do doesn’t make sense."
But even the most skilled lobbying efforts often fall on deaf ears. For most states, "the rights to tax and to provide consumer protection are all very closely guarded," Riehl said. "California is a really great example. California prides itself in this and has a reputation of doing things that are kind of firsts for states. As a result, because it's such a big state, California has its own de-facto standard. California likes that role. It prides itself in that role."Despite California's well-known status as a regulatory vanguard, Massachusetts is becoming a state that strikes fear into many retailers these days, particularly when it comes to data protection, said Sotto, the New York lawyer. "There are a number of states that have security requirements so that entities are required to implement reasonable security to safeguard information," Sotto said. "Some states have gone further than others, but Massachusetts' legal actions are very extensive and take on many of the characteristics of European data protection laws which are the most onerous in the world."
Riehl said retailers can strive to craft their business practices to comply with the laws and regulations of the toughest states, such as Massachusetts. But Sotto noted this doesn't necessarily work because compliance with even a tough state's provisions does not mean a retailer is in the clear with another state. "There are some conflicts," Riehl said. "Under the Massachusetts data breach notification law you are not allowed to indicate in a letter to affected individuals what happened. But for other states you are required to indicate what happened."
Simply put, there is no way around keeping an eye on all the states all the time. However, some big retailers, such as Amazon, are actively trying to level the playing field. In Amazon's case, the big issue is state collection of taxes from Internet sales, an issue that directly affects the E-Commerce powerhouse's reliance on affiliate marketing.
"The Internet sales tax point is greatly troubling a lot of people in the affiliate marketing industry," Baer said. "New York passed a law, about a year and a half ago, which basically said if you are an online merchant and you have affiliates located in New York, that can create a nexus for sales tax purposes and expose all sales in New York to the sales tax even if your business has no employees in New York. Other states, seeing a great source of potential revenue, are now jumping on that bandwagon."
He said Hawaii is on the verge of enacting a law similar to New York's as are a number of other states including California and North Carolina. Although the U.S. Supreme Court held that states cannot require collection of sales taxes by sellers who do not have a physical presence there, the court said Congress has the power to allow states to force those sellers to collect taxes. Fewer than half the states (22) have signed on as members of an initiative aimed at resolving the sales tax problem.
Riehl noted that gift card rules and regulations are another source of grief for compliance-conscious, multi-state vendors. "They are subject to different rules in different states," she said. "They can have expiration dates in some states but not in others. States are powerful in their ability, depending on how bit their economy is. They very closely guard the abilities and constitutional rights, their sovereign ability to tax and impose rules. And the states have their own powerful lobbies in D.C."
Riehl said the NRF believes one of its most important functions is, like a kid at a carnival playing Whac-a-Mole, to keep track of the ever-changing landscape of state regulatory efforts. "We spend a lot of time monitoring this," she said. "But we miss things too." Making matters even crazier for retailers is the fact that many county and municipal governments "can be activists as well" when it comes to retail regulation, she noted.