Law: that’s just boring stuff that we internet marketers don’t have to worry about, isn’t it?

Well not exactly. For the average Internet Marketer, it’s a boring reality nowadays that they really do need to be aware of the legal framework because the reality of falling foul of this is just too awful to contemplate.

United States law has a long history of extra-jurisdictional reach. I well remember once working as a lawyer on a prospectus for a UK oil drilling company issuing shares on the London Stock Exchange – it was drilling for oil around the world, but nowhere near the USA. We were obliged to have about a third of the front cover devoted to a US Securities Act boilerplate warning in case one citizen saw the prospectus and might dare to apply for some shares. It was absurd.

In the exact same way US consumer protection legislation has developed a similarly long arm. Thus any internet marketer who might one day sell a product to a US citizen has got to be aware of the FTC (the Federal Trade Commission) which seeks to claim jurisdiction over anything that affects US consumers. Its powers are enough to frighten any sane person. It does not matter where you are resident – if you potentially sell any products to Americans, then you need to be aware of the FTC.

Now the European Union has got into the action too. Europeans are very concerned about privacy in a way that the USA doesn’t seem to be, and the EU’s recently enacted GDPR (General Data Protection Regulation) similarly claims a fairly global reach which will similarly affect Americans who may potentially market to Europeans – they too need to be very aware of the very long arm of these regulations.

So who needs to be aware of this legal stuff? Well anybody with an internet business really – e-commerce stores, digital and e-mail marketers (anybody who collects leads from a landing page), Amazon private label sellers, anyone advertising on Facebook, even affiliate marketers and in actual fact any business owner with a website.

So what exactly do marketers online have to be concerned about?

The Federal Trade Commission

The FTC has some very specific rules, regulations, and guidelines that you need to be aware of if you are selling to, marketing to or collecting information from consumers.

Your marketing strategies do need to have a solid legal compliance strategy built in. You need to pay attention to this every time you add a new headline to your sales page or make a promotional social media post.

If you think this is overdoing it a bit, just google “FTC complaints”. It’s enough to cause any sane businessman or woman who lives on the edge to have nightmares. On the other hand, if you don’t have an appetite for any kind of risk you might want to be obnoxiously compliant with FTC regulations.

You could have happily ignored the FTC before 2009 but that year saw an avalanche of laws and regulations being imposed by the FTC, and since 2014 the FTC has increasingly been targeting smaller businesses, and small businesses can no longer expect to fly under the radar. State and federal investigators now have access to the FTC’s Consumer Sentinel Network database – a massive database of millions of complaints against businesses, many of which are online. This is made available to law enforcement officials both at state and local level. As a result, there can be huge co-ordination in large actions against businesses, and since 2014 the FTC has been bringing more group actions, increasingly including the small entrepreneur.

This is why you online entrepreneurs need to worry. Ignorance of the law is no excuse. We’ve all been told to take massive action and to just learn as we go. This is great marketing advice, but not the best legal advice. So what are some of the biggest mistakes we internet entrepreneurs can make?

Testimonials

Perhaps the biggest of all is deceptive testimonials. We all know how powerful testimonials are, and we have all probably been influenced ourselves into buying products on the basis of powerful testimonials.

The FTC isn’t too concerned about general non-specific testimonials, but is very concerned by what it calls “Aspirational Testimonials”. Consumers, after all, put a lot of weight on specific, measurable and verifiable testimonials. There is a massive difference between on the one hand “I am now maintaining a good weight” and on the other “I lost 10kgs in two weeks”.

The risk is that the FTC might decide that you have made an implied claim that most consumers can expect to achieve the same results. Of course, all you want to do is to put up the testimonials from the superstars and ignore the more run-of-the-mill ones.

The more successful the testimonial, there is a higher burden of proof that most people can achieve similar results.

You will in the past have seen lots of disclaimers, such as “typical individual results may vary” or “these testimonials are based on the experiences of a few people and you are unlikely to have similar results”. But these can no longer be relied upon. You have to now show “generally expected results”.

If you are promoting a business opportunity then some people might make a lot of money, but most people won’t even bother to watch all of the videos. So you do need to focus on the “qualifying circumstances” – a person’s effort, ability to complete the course, their aptitude and prior experience. In this case, the variables are almost infinite – there is a world of difference between really giving it a go and just playing at it as a bit of a hobby.

“Well I don’t have to worry too much, I’ve got a company to hide behind?” Think again. Of course, corporate protection is useful in so many areas, but if the FTC can prove that an individual participated in the advertising, then it can easily “pierce the corporate veil” and include named individuals in legal actions. That’s when personal bank accounts can be frozen and your personal possessions and even retirement accounts can be attacked.

Data Security

Hardly a week goes by without another major data security breach at a huge organization making the news, so it’s hardly surprising that this too needs to be at the forefront of our concerns. The FTC has taken action against big companies, and in 2017 initiated discussions targeting small businesses explaining what is needed to comply.

So what exactly is Data Security all about? This is the FTC’s definition: “The establishment and maintenance of administrative, physical and technical standards for the protection of the security, confidentiality, and integrity of personal and sensitive data.”

So whether you keep your personal information about customers (or indeed employees) in a filing cabinet or on a computer network, you need to have a sound Data Security Policy in place to collect only what you need, to keep it safe, and to dispose of it securely. This can help you meet your legal obligations to protect that sensitive data.

EU’S GDPR (General Data Protection Regulation)

This game changer came into effect on 25th May 2018. It is the biggest change in data protection for 20 years. These new data privacy laws affect how all organizations store and use data. Organizations will have far greater responsibilities in how they use, store and protect the data of EU citizens (EU “Data Subjects”) and so this will affect any online US business that might possibly come into contact with an EU citizen. So whilst EU subjects residing in the EU will enjoy increased privacy, the regulatory authorities now have far greater power to take action against businesses that breach the new laws.

To understand the European perspective it’s helpful to understand some of the background. The US privacy regulations were felt to be inadequate for the protection of EU subjects, and perhaps the catalyst for all of this was the shocking revelations in 2013 of the whistleblower Edward Snowden. As an NSA employee, he revealed that large US technology companies were secretly transmitting large amounts of data to government authorities, apparently under the guise of fighting terrorism. But were there other purposes behind this? It’s fair to say that the European reaction was incredulous. This led to a desire to crack down on data protection and enforce it worldwide. The thinking behind this is that Privacy & Data Security are inalienable Human Rights – this is a far stronger feeling that anything in the USA.

It is important to stress that the regulation also applies to non-EU companies that process personal data of individuals in the EU. So you don’t have to be located there – it’s the business activity that’s caught, not merely the location of a business. As long as you receive and process this information you are caught. So merely archiving this information means you are processing it and therefore subject to the Regulation. Hence my reference at the start of this article to the notion that the EU is extending the scope of its jurisdiction worldwide.

The definition of personal data is broad. As well as a person’s name, photo, email address, bank details, social media posts and medical information it also includes identifiers such as genetic, mental, cultural, economic & social identity.

The penalties for non-compliance are very tough with fines up to 20 million Euros (or 4% of annual global revenues if greater, meaning that the big tech companies are really on the hook).

So by way of summary, GDPR actually applies to you if:

1. you locate your business in the EU
2. you offer goods or services to EU Data subjects regardless of payment
3. you monitor the behavior of EU Data Subjects (tracking to create profiles or use of personal data of EU Data Subjects to serve targeted ads)
4. you process or hold personal data of EU Data Subjects and “processing” is defined to include collecting, storing, duplicating, structuring, linking, retrieving, using and deleting.

There are two main categories:

1. a Controller who collects and determines the purpose and means of processing (whether alone or with others); and
2. a Processor who processes personal data on behalf of the Controller.

You can, of course, be both. So if you have an opt-in page, list build by giving away a free e-book or invite someone to a webinar to get personal data in return – then you are a Controller and consequently, you need to be aware of this.

A Processor merely deals with the Controller to undertake certain data processing functions.

So GDPR will affect your marketing and may require you to have in place some Data Processing Agreements.

You will no doubt have noticed the sudden plethora of cookie announcements when you try to go on a website for the first time. In some cases, you are invited to consider changing privacy settings in relation to information storage and access, personalization, ad selection delivery and reporting, measurement and vendor consents. You have GDPR to thank for this.

I live in England, and I have even noticed recently that I have been unable to access certain news sites and blogs based in the USA. In trying to click to one such site, I recently received this extraordinary announcement:

“451: Unavailable due to legal reasons. We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time. For any issues, contact [details were provided].”

In my opinion, this is rather absurd and an over-the-top reaction, and I would be surprised if this was the intention of the legislation. But nevertheless, it underlines just how serious this legislation is. If you are ever suffering from insomnia you could always read up about GDPR. I’m fairly confident it will send you to sleep. Here it is: https://gdpr-info.eu.

Lots of other potential minefields

There are many other things to be really careful of. Some of the most significant are:

• not complying with online advertising laws
• offering a business opportunity without complying with FTC regulations such as concerning earnings disclaimers
• not providing certain disclosures for a membership website
• compliance with the Restore Online Shoppers Confidence Act (ROSCA)
• not managing rogue affiliates sufficiently and carefully
• having a social media giveaway campaign being classified as an illegal lottery
• outsourcing and copyright
• food supplements
• breach of copyright using copied boilerplate privacy statements
• the Children’s Online Privacy Protection Act 1998 (COPPA)
• claims and promises in general

However, try not to stay up at night worrying about this stuff. The best way to achieve this is to have a proper legal strategy in place which goes hand in hand with your marketing. Finally, of course, this article obviously would not be complete without my stressing that this information is not legal advice and has been provided for educational purposes only!!! You’d expect a disclaimer like that, wouldn’t you?