E-Commerce

When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China.  Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here).  Both the PIPL and DSL will be finalized this year.  Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in  key sectors.  Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors.  The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above.  We expect this divergence to remain, even after the finalization of the PIPL and DSL.  Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.

In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns.  We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.

In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector

Yesterday, the U.S. Supreme Court refused to reconsider Shlahtichman v. 1-800 Contacts Inc., in which the U.S. Court of Appeals for the Seventh Circuit held that an email confirmation of an online purchase is not “electronically printed” for purposes of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”).  Among other restrictions

On December 29, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law.  The legislation prohibits e-commerce retailers from passing customers’ billing information to post-transaction third-party sellers, and also requires post-transaction sellers to meet certain requirements before charging consumers’ financial accounts.  Specifically, the post-transaction seller must (1) disclose all material terms of the transaction, including the fact that the post-transaction seller is not affiliated with the initial retailer; and (2) obtain billing information and affirmative consent for the transaction directly from the customer. 

The Act arose out of an investigation by the Senate Committee on Commerce, Science, and Transportation into the sales practices of Affinion, Vertrue, and Webloyalty.  These post-transaction sellers offered membership club enrollment to consumers who were completing transactions at popular online retail sites, although consumers often did not understand that they were entering into a separate relationship with the membership club or that they would be charged periodic fees. Continue Reading New Law Restricts Misleading Online Sales Practices