The legal Web of wireless transactions.

I. INTRODUCTION

The wireless web creates an exciting new marketplace for consumers and businesses alike. For consumers, the flexibility and freedom afforded by wireless handheld devices such as Palm[TM] and BlackBerry[TM], mobile phones, and even watches with wireless capabilities, provide an "untethered," "ubiquitous," and "unbounded" lifestyle. (1) For businesses, the wireless medium creates a new venue for their services and products, one in which businesses can furnish information to and collect valuable information from and about consumers conducting wireless transactions. Although the recently slowing economy has caused some companies to scale back their mobile commerce initiatives, (2) most experts see wireless transactions, also known as "mobile commerce" or "m-commerce," as the future of technologically advanced business transactions. (3) Given the growth projected for this market, businesses will inevitably make large investments in order to secure a niche in the wireless world. (4)

Thus, for businesses that supply information, products, or services via the Internet and wish to reach a broader audience on a real-time basis, the wireless Web presents an innovative opportunity. At the same time, this new way of transacting business brings legal challenges that require thoughtful planning. In developing mobile commerce initiatives, businesses face two compelling and distinctive legal issues in particular. First, they must comply with the privacy and security regulations that govern wireless transactions in both the United States and, if the business is global, overseas. Second, businesses must ensure that their wireless transactions with customers comply both with traditional contract law and the growing number of record retention requirements related to electronic transactions. This Article analyzes these two pressing legal issues in depth so that such businesses can steer clear of the hazards they pose to their m-commerce initiatives. (5)

II. PRIVACY AND SECURITY

Businesses that hope to win wireless consumer confidence and increase participation in the new wireless marketplace must minimize consumer privacy and security concerns. Ensuring privacy on the wireless Web means complying with laws regarding the collection and use of "personally identifiable information" about wireless customers and dealing with the legal consequences of "location technology," a unique feature of wireless devices. Ensuring the security of m-commerce means protecting customers from unauthorized "eavesdroppers" and those who might use information transmitted wirelessly for unauthorized or fraudulent purposes. However, in light of the September 11, 2001, terrorist acts, Americans may be more tolerant of, and the U.S. Government may be more insistent upon, incursions into areas that were typically perceived as private. The terrorist acts may therefore have a liberating effect on privacy laws, but only time will tell.

A. Ensuring the Privacy of M-Commerce

The increased popularity of mobile commerce ("m-commerce") raises unique privacy issues in two ways. First, the design of wireless devices creates technical problems for wireless businesses seeking to abide by privacy laws protecting customer information. Second, the location-tracking ability of wireless networks raises privacy concerns about "Big Brother" and about unsolicited advertising while at the same time it creates exciting possibilities for government and business use.

1. Protecting Personally Identifiable Customer Information

A variety of federal and state laws govern the collection and use of personally identifiable information. (6) Most of these laws apply only to government entities or particular industries. (7) Two appear most relevant to wireless transactions: the Children's Online Privacy Protection Act ("COPPA") and the Gramm-Leach-Bliley Financial Modernization Act ("GLBA"). (8) In addition, the Federal Trade Commission ("FTC") has promulgated five "Fair Information Practice Principles," which have a direct bearing on m-commerce privacy concerns. (9) Wireless industry groups have also published advisory principles on privacy in an effort at self-regulation. The next four sub-sections examine, in turn, the two federal statutes, the FTC principles, and industry self-regulation in the form of advisory opinions, and a fifth sub-section then discusses the difficulties in applying these laws and principles to handheld wireless devices.

a. The Children's Online Privacy Protection Act

Teenagers in the United States represent a significant untapped market for the wireless industry. Wireless businesses have responded by beginning to develop and market mobile devices to teenagers, and these efforts will probably cause the number of users under the age of thirteen to increase. (10) Given the rise in use of wireless devices by youngsters, businesses participating in wireless transactions need to know and comply with the regulations of the COPPA. The COPPA, passed by Congress with the FTC's strong recommendation, regulates the collection, use, and disclosure by Internet website operators of personally identifiable information of children under the age of thirteen. (11) Although the COPPA refers to conventional Internet transactions, the strong public policy underlying the law to protect and regulate information collected from children would likely apply to wireless Web functions as well as traditional online environments.

The COPPA, effective April 1, 2000, creates certain duties for website operators, provides a safe harbor, and defines various terms. With regard to duties, the COPPA requires that website operators who either direct their sites to children or who know they are collecting information from children take the following five actions: First, provide parents with conspicuous notice of what information is collected, how the information will be used, and the website's disclosure practices. Second, obtain prior, verifiable parental consent for the collection, use, and disclosure of personal information from children (with limited exceptions). Third, provide parents the opportunity to view and prevent further use of personal information previously collected. Fourth, limit the amount of information that a child must provide to participate in a game, prize offer, or other activity to information that is reasonably necessary for that activity. Fifth, establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. (12)

The COPPA provides a safe harbor if a website operator complies with any of the sets of self-regulatory guidelines issued by representatives of the marketing or online industries, that, after notice and comment, have been approved by the FTC. (13)

The COPPA defines several of its terms. An "operator" is "any person who operates a website located on the Internet or an online service...." (14) The "Internet" is "the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio." (15)

b. The Gramm-Leach-Bliley Financial Modernization Act

A second statute affecting wireless privacy issues is the GLBA, which governs the collection, use, and dissemination of non-public consumer financial information by financial institutions. (16) While the GLBA specifically targets only "financial institutions," (17) the statute defines financial institution in extremely broad terms and would likely apply the term to many companies not traditionally categorized as financial institutions, (18) including businesses with wireless offerings. Thus, businesses participating in wireless transactions should be aware of the GLBA requirements.

Under the GLBA, financial institutions must perform the following three duties regarding non-public consumer financial information: First, provide clear and conspicuous notice to consumers of the institution's privacy policy upon establishing the customer relationship and at least annually thereafter. (19) Second, obtain consent from consumers before disclosing a consumer's non-public personal information to non-affiliated third parties. (20) Third, provide a reasonable method for consumers to "opt out" of such disclosures to non-affiliated third parties. (21)

As of July 1, 2001, compliance with the GLBA's obligations is no longer voluntary.

c. The Federal Trade Commission's Five Fair Information Practice Core Principles