George S. Isaacson

Many online merchants have been watching closely the saga of the Direct Marketing Association's (DMA) constitutional challenge to a 2010 Colorado law targeting remote sellers. This legislation would require out-of-state catalog and internet retailers that do not collect Colorado state and local sales tax to turn over customer transaction information to the Colorado Department of Revenue.

Unfortunately, it's not a question of if, but when your company will experience a data breach. Whether caused by a hacker, equipment failure, theft, disgruntled employee or a vendor error, most retailers will experience an incident resulting in the unauthorized disclosure of confidential customer or employee information. According to the Open Security Foundation and security consultancy Risk Based Security, last year set a record for the number of reported data breach incidents — 2,644 incidents, more than double the number in 2011, which previously had been the highest amount in one year.

If your company uses cookies — small information files that are downloaded onto a computer or mobile device when a user visits a website which enable the website operator to recognize the user's device and preferences — on its website, and the website is either "designed for the European market" or "provides products or services to customers in Europe," you should be aware of the new European Union (EU) Cookie Directive.

On Nov. 9, 2011, a group of 10 senators from both sides of the aisle introduced the Marketplace Fairness Act, S.1832. On Oct. 13, 2011, a similar bipartisan bill was introduced in the House of Representatives called the Marketplace Equity Act.

The Supreme Court of California recently ruled that collecting ZIP codes from customers who paid by credit card may subject merchants to class-action lawsuits. Dozens of such actions have already been filed, including against retailers "yet to be named." Reported settlements paid by some companies have exceeded $25 million. The lesson is clear: All retailers should review their customer information collection practices in light of California law (and other states) to avoid becoming the target of class-action lawyers.

State legislatures continue to experiment with novel nexus legal theories in their persistent drive to compel use tax collection by retailers located beyond their borders. The most recent state efforts are aimed directly at online retailers through passage of so-called "Amazon laws."

On Jan. 26, a United States District Court Judge in Denver entered a preliminary injunction against the Colorado Department of Revenue in the lawsuit that the Direct Marketing Association (DMA) brought challenging Colorado's new notice and reporting law, H.B. 10-1193. This controversial legislation — the enforcement of which is now suspended by the court's order — imposes three sets of obligations on out-of-state retailers that don't have nexus in the state and don't collect Colorado sales tax.

On June 30, the Direct Marketing Association (DMA) filed a lawsuit in U.S. District Court in Denver against the executive secretary of the Colorado Department of Revenue challenging the constitutionality of Colorado's new consumer notice and reporting law that's targeted at out-of-state retailers who don't collect Colorado sales tax.

A recent federal appellate court decision concluded that the 
removal of a product's universal product code (UPC) may constitute a trademark infringement. In Zino Davidoff SA v. CVS Corp., decided this past June, the court supported claims of a high-end distributor of luxury fragrances because "the UPC acts as a quality control mechanism which enables [the trademark owner] to protect the reputation of its trademarks by identifying counterfeits and by protecting 
against defects."

Last year, 12 states had do-not-mail legislation under consideration. But none of the bills were enacted. This year, however, bills already have been refiled in some states, and new bills have been introduced in Connecticut, Florida and New Jersey. With varying enforcement mechanisms, the laws would prohibit mailing unsolicited direct marketing materials to persons who enter their names and addresses to state-maintained registries.