Regulatory Landscape for Fintech, Electronic Commerce, and Electronic Banking: Part One

Wilson Sonsini Goodrich & Rosati

Part 1: Electronic Commerce

This is the first part of a two-part article discussing the regulatory landscape for financial technology as applied to electronic commerce and electronic banking. This article focuses on electronic commerce.

A. Introduction

Cloud computing and mobile apps have enabled the emergence of a new class of business models leveraging financial technology (fintech) across electronic commerce (e-commerce) and electronic banking (e-banking). More recently, blockchain has underpinned the rebooting of a variety of e-commerce and e-banking business models, together with new approaches to managing financial compliance.

As technology makes it easier for business-to-business (B2B) and business-to-consumer (B2C) companies to grow quickly, legal and regulatory compliance are becoming increasingly important at earlier corporate stages. For example, start-up companies involved in omnicommerce can quickly find themselves processing data that is subject to a variety of legal and regulatory obligations, such as PCI-DSS rules relating to payments data, Regulation E obligations relating to electronic fund transfers, and Bank Secrecy Act (BSA) and USA PATRIOT Act obligations relating to the management of funds and customer identities.

This paper provides an overview of the typical flow of e-commerce and e-banking transactions through the fintech stack. Next, it introduces a graphical overview of the regulatory landscape applicable to e-commerce and e-banking. From there, it summarizes the main legislative and regulatory frameworks applicable to e-commerce. The conclusion highlights a few specific business models and issues that may arise for entities operating in the e-commerce space.

Part two of this paper, which will be released subsequently, will provide an overview of the regulatory frameworks applicable to e-banking and will also discuss in more detail the interplay between e-commerce, e-banking, and blockchain technologies, including cryptocurrencies and cryptographic tokens deployed in the stream of commerce and banking. Other follow-up papers will explore in detail specific regulatory frameworks applicable to entities involved in the areas of e-commerce and e-banking, such as Regulation E, loyalty programs, prepaid cards, using gift cards, and automated clearing house (ACH) as complements or alternatives to the credit card payment rails, and SKU- and service-level data monetization.

B. Overview of E-Commerce and E-Banking

Figure 1 shows an overview of consumer transactions processed through electronic fintech channels in the financial space.

Fig. 1
Financial Consumer Transactions Through Electronic Channels

A consumer transaction could be classified as either an e-commerce transaction or as an e-banking transaction depending on the flow and subject matter. The fundamental difference between the two transaction types can be reduced to whether the consumer is paying for a product or service designed for the consumer's consumption or use (which makes it an e-commerce transaction), or a transaction involving the storage, movement, or investment of money (which makes it an e-banking transaction). This terminology may vary in the industry, and some regulatory and transaction aspects may overlap between the two classifications, but this article adopts this terminology and follows the transaction flows shown in Figure 1 above and Figure 2 below.

1. E-Commerce Transactions

In an e-commerce transaction involving a product or service, the payment for the product or service could occur in a number of ways:

  • a one-time purchase of a product (e.g., purchasing a USB cable online from for home delivery, purchasing a cup of coffee through the mobile app for pickup in a Starbucks location, etc.);
  • a one-time payment for a service (e.g., paying for a handyman through to perform home improvement work, paying for a car ride through the Uber or Lyft mobile app, ordering delivery of a meal through, etc.);
  • a subscription to a service (or membership) involving recurring payments (e.g., a subscription to Netflix through the website, an ongoing wireless mobile account with AT&T or Verizon, etc.); or
  • a freemium business model, under which a service provider stores an active consumer payment method, typically a credit card, and provides free services to the consumer with the option to also pay for specific premium products or services (e.g., Google Android or Gmail, which are typically free, and which enable consumers to pay for Android apps through the Google Play Store, purchase additional storage space on the Google Drive, etc.).

E-commerce transactions flow through the omnicommerce stack, and involve the movement of money and data across one or more omnicommerce layers. Examples of omnicommerce layers include technology and services providing the following functionality:

  • payments, typically processed through a credit card or an ACH transaction;
  • gift cards and gift accounts;
  • store gift cards and gift accounts;
  • prepaid cards or prepaid accounts;
  • loyalty programs (including loyalty cards, award cards, and promotional gift cards);
  • digital offers and electronic coupons;
  • point-of-sale transactions;
  • CRM functionality;
  • sales tax computation;
  • ERP functionality;
  • inventory management functionality;
  • financial reporting functionality; or
  • data analytics.

2. E-Banking Transactions

In an e-banking transaction, a consumer uses a mobile app or a web browser to access traditional banking services. Many of those transactions rely on cloud technology, either for transaction processing via application programming interfaces (APIs) and cross-institution functionality, or for data storage and retrieval. More recently, blockchain business models have leveraged immutability, deep traceability of data, and smart contracts as novel mechanisms to perform banking services.

As shown in Figure 1, an e-banking transaction initiated by a consumer could access one or more traditional banking services, including the following:

  • deposits and withdrawals;
  • checking account services;
  • savings account services;
  • initiating, conducting, closing, and managing lending transactions;
  • remittances (i.e., money transfers), both within the U.S. and between the U.S. and other countries;
  • vehicle leasing, including emerging variations of vehicle leasing that have attributes of SaaS subscription business models;
  • fund settlement as part of other e-commerce or e-banking transactions; and
  • foreign exchange (FOREX) transactions that involve the transmittal of large amounts of money internationally and conversion between different currencies. Fund settlement and FOREX transactions tend to be more commercial in nature, and there is definitely a growing overlap between business and consumer utilization of e-banking and e-commerce services.

3. Advertising, Data Analytics, and Data Monetization

Figure 1 shows advertising, data analytics, and data monetization as a common layer that intermediates between omnicommerce stack and e-banking services on one hand, and merchants and financial institutions on the other hand. As this diagram illustrates, advertising, data analytics, and data monetization are fundamental technologies and business models that permeate both e-commerce and e-banking.

During the past few years, some of the most successful business models and companies have been built on the analytical and economic value of data (e.g., Google, LinkedIn, etc.). As the margins in payment processing decreased over time, the value of commerce data analytics increased quickly as a basis for consumer profiling and consumer behavioral prediction. As a result, companies involved in both the e-commerce and e-banking spaces have devoted increasingly more attention and resources to collecting, analyzing, and monetizing commerce data.

The ultimate goal of data monetization is to collect SKU-level transaction data in the e-commerce space (e.g., what exactly was included in that total purchase price of $10.43 from Starbucks?) and transaction-level data in the e-banking space (what type of car did this consumer lease, and what other cars have been leased or purchased by that household recently?). That makes cloud-based point-of-sale and loyalty companies particularly valuable in the e-commerce space, and account holders and transaction processors especially valuable in the e-banking space. In other words, obtaining data that allows a merchant to optimize a digital offer for a consumer, or data that allows a bank to recommend a particular financial product to a consumer can be very valuable. And from a technology perspective, any integrated electronic platform that can collect, aggregate, and analyze detailed commerce data is of immediate interest to financial institutions.

Consequently, collecting transaction-level consumer data, analyzing that data, and then monetizing the data are common goals and major sources of potential revenue for both the e-commerce and e-banking industries. Data monetization, however, quickly bumps up against a regulatory environment that has grown more protective of consumers in the past few years, including a complex web of privacy laws promulgated by U.S. states and U.S. federal agencies, the Canadian Federal Government and Canadian provinces, the EU (e.g., GDPR), countries in APAC, and so on. In parallel with these privacy laws, there exists a complex web of regulations enforced by U.S. federal agencies (e.g., the FTC and CFPB), and consumer protection regulations enforced by the card networks through direct card processing rules and through standards (e.g., PCI DSS).

C. E-Commerce and E-Banking Regulatory Landscape

Figure 2 shows an overview of the regulatory landscape for the e-commerce and e-banking industries.

Fig. 2
Regulatory Landscape for E-Commerce and E-Banking

As shown in Figure 2, extensive regulatory frameworks apply across both the omnicommerce stack and e-banking services stack. Additionally, there is significant overlap between the regulatory frameworks applicable to e-commerce and e-banking both at the supervisory level (e.g., the Federal Reserve plays fundamental regulatory roles for both e-commerce and e-banking) and at the functional level (e.g., the Dodd-Frank Act covers significant aspects of both e-commerce and e-banking).

D. E-Commerce Regulatory Landscape

As shown in Figure 2, the e-commerce ecosystem is overseen by a number of regulatory agencies, both in the U.S. and abroad, including the following:

Regulatory Authority Activities in E-Commerce
The Federal Reserve System (Fed)
  • The Fed conducts U.S. monetary policy to promote maximum employment, stable prices, and moderate long-term interest rates in the U.S. economy
  • The Fed promotes the stability of the financial system and seeks to minimize and contain systemic risks through active monitoring and engagement in the U.S. and abroad
  • The Fed also promotes the safety and soundness of individual financial institutions and monitors their impact on the financial system as a whole
  • The Fed is the lender of last resort to member banks (through discount window lending)
  • In “unusual and exigent circumstances,” the Fed may extend credit beyond member banks, to provide liquidity to the financial system, but not to aid failing financial firms
  • The Fed may initiate a resolution process to shut down firms that pose a grave threat to financial stability. The FDIC and the Treasury Secretary have similar powers
Consumer Financial Protection Bureau (CFPB)
  • Regulates non-bank mortgage-related firms, private student lenders, payday lenders, and larger consumer financial entities
  • Does not supervise insurers, SEC and CFTC registrants, auto dealers, sellers of non-financial goods, real estate brokers and agents, and banks with assets less than $10 billion
  • Writes rules to carry out federal consumer financial protection laws
The Federal Trade Commission (FTC)
  • Protects consumers from unfair and deceptive practices in the marketplace
  • Maintains competition to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes
Various U.S. State Governments (e.g., Attorney Generals and Legislatures of various states define and enforce a wide range of regulations affecting e-commerce)
  • Full range of regulatory coverage that parallels the U.S. federal regulatory system (to the extent not preempted by federal laws and regulations)
  • Regulate most entities operating in the state
  • Regulatory oversight often applies even to businesses that operate over the web or via mobile platforms and in the absence of a physical presence in the state, as long as such businesses transact with consumers and businesses in that state
Various national Governments and regulatory agencies around the world (e.g., the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in the U.K.) Full range of regulatory coverage that parallels the U.S. federal and state regulatory systems
Various regulatory bodies and administrative agencies operating at the regional level internationally (e.g., the European Commission (EC), the European Data Protection Board (EDPB) established by the General Data Protection Regulation (GDPR), etc.) Specific regulatory segments, typically focused more narrowly on specific issues affecting international trade and commerce
The PCI Security Standards Council (Visa, MasterCard, American Express, Discover, JCB) Defines and manages standards for security of the member credit card networks
The National Automated Clearing House Association (NACHA) administers the ACH rules in the U.S.;

The European Commission, European Central Bank, and other European national and regional authorities, together with the European Payments Council (EPC) administer the SEPA rules in Europe

  • NACHA and the EPC define, maintain, and enforce the operation of electronic fund transfers running through the automatic clearing house (ACH) network in the U.S., and respectively the Single Euro Payments Area (SEPA) network in Europe
  • NACHA and the EPC perform parallel roles in the U.S. and Europe, and each of them also pursues additional initiatives beyond ACH and SEPA
Various global Credit Card Networks/Schemes (Visa, MasterCard, AMEX, Discover, JCB, etc.) Define, maintain, and enforce the operation of the respective credit card networks

The regulatory frameworks that apply to the e-commerce ecosystem include the following:

Regulatory Framework Scope of Coverage
The unfair, deceptive, or abusive acts or practices framework (UDAAP) overseen by the CFPB
  • Unfair, deceptive, or abusive acts and practices can cause significant financial injury to consumers, erode consumer confidence, and undermine the financial marketplace. Under the Dodd-Frank Act, it is unlawful for any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive, or abusive act or practice
  • The CFPB enforces UDAAP rules to prevent unfair, deceptive, or abusive acts or practices for consumer financial products and services. Consequently, the UDAAP regulations apply to any entity that markets or provides financial products and services to consumers
The unfair or deceptive acts or practices framework (UDAP) overseen by the FTC
  • Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45) prohibits “unfair or deceptive acts or practices in or affecting commerce.” This prohibition applies to all persons engaged in commerce, including banks. The FTC has is authorized under Section 8 of the Federal Deposit Insurance Act (FDIA) to take appropriate action when unfair or deceptive acts or practices (UDAP) are discovered
  • Given the overlap in terminology between UDAAP and UDAP, it is not surprising that the FTC and the CFPB could overlap in their regulatory activities. Indeed, the FTC's regulatory mandate requires the FTC to look for other violations of parallel laws and regulations when the FTC identifies UDAP violations in the course of its audits.
The Electronic Fund Transfer Act (EFTA) - Regulation E
  • The EFTA - Regulation E is the primary regulatory framework for e-commerce
  • Regulation E protects consumers engaging in electronic fund transfers (EFTs) and remittance transfers, including:
    • transfers through automated teller machines (ATMs);
    • point-of-sale (POS) terminals;
    • ACH systems;
    • telephone bill-payment plans in which periodic or recurring transfers are contemplated;
    • remote banking programs; and
    • remittance transfers
  • The Dodd-Frank Act transferred rulemaking authority under the EFTA from the Fed to the CFPB
The Dodd-Frank Act and subsequent amendments
  • The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) is a comprehensive regulatory framework that restructured large areas of e-commerce and e-banking, including the creation of the Consumer Financial Protection Bureau (CFPB)
  • Dodd-Frank covered a wide range of e-commerce and e-banking regulatory matters, and was implemented through material revisions to existing rules and legislation coupled with new legislation and reassignment of enforcement obligations among existing and newly created federal agencies. For example, Dodd-Frank covered issues such as the orderly liquidation authority of financial entities (Title II), reassignment of various agencies responsibilities (Title III), regulation of insurance (Title V), regulation of bank and savings associations (Title VI), regulation of payment and settlement activities (Title VIII), the establishment and assignment of duties to the CFPB (Title X), and more
  • Dodd-Frank was subsequently rolled back in some e-banking and e-commerce areas by the Economic Growth, Regulatory Relief and Consumer Protection Act, which became effective in 2018
  • A much broader bill designed to materially scale back Dodd-Frank (the Financial Choice Act) was passed in the House of Representatives in 2017, but failed in the Senate
Truth in Lending Act (TILA) - Regulation Z
  • The Truth in Lending Act (TILA) was enacted on May 29, 1968, as title I of the Consumer Credit Protection Act and has been amended extensively since then, including material changes made pursuant to the Dodd-Frank Act. TILA is implemented by Regulation Z
  • TILA applies to both e-commerce and e-banking, and generally seeks to ensure that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably. Creditors must use the same credit terminology and expressions of rates. In addition to providing a uniform system for disclosures, TILA regulates credit billing and credit card practices, provides consumers with rescission rights in certain lending transactions, establishes rate caps on certain dwelling-secured loans, regulates home equity lines of credit and certain closed-end home mortgages, and generally prohibits unfair or deceptive mortgage lending practices
Consumer Leasing Act - Regulation M
  • The Consumer Leasing Act (CLA) was originally passed in 1976 and was part of TILA (implemented by Regulation Z). Subsequently, the CLA was restated as Regulation M and was amended further, eventually coming within the regulatory scope of the CFPB
  • The CLA generally applies to consumer leases of personal property and requires accurate disclosure of lease terms to help consumers compare different leases, and to compare the cost of leasing with the cost of buying. In addition, the CLA puts limits on balloon payments sometimes due at the end of a lease and regulates advertising
Prepaid Accounts Rule
  • Implemented under the EFTA through Regulation E and Regulation Z
  • The prepaid accounts rule is another fundamental framework for e-commerce given the recent popularity of prepaid accounts as alternative mechanisms to store, distribute, and spend funds by both employers and consumers
  • Material amendments to Regulation E were recently finalized and will become effective on April 1, 2019
  • Covers disclosures, limitations of consumer liability, error resolution, and periodic statements for certain types of prepaid cards
  • Regulates overdraft credit features that may be offered in conjunction with prepaid accounts
Expedited Funds Availability Act (EFA Act) - Regulation CC
  • Regulation CC implements the Expedited Funds Availability Act (EFA Act) and the Check Clearing for the 21st Century Act (Check 21)
  • Requires banks to make available funds deposited into transaction accounts according to specified time schedules and to disclose their funds availability policies to their consumers
  • Expedites the collection and return of checks and electronic checks, and describes requirements that affect banks that create or receive substitute checks
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
  • CAN-SPAM regulates commercial aspects of electronic communications
  • Requires warning labels for commercial electronic mail that contains sexually oriented material
  • Prohibits senders to charge a fee or imposing other requirements on recipients who wish to opt out
  • Separate email violations can trigger penalties up to $41,484
Telephone Consumer Protection Act (TCPA)
  • The TCPA restricts telephone solicitations (i.e., telemarketing) and the use of automated telephone equipment
  • Limits the use of automatic dialing systems, artificial, or prerecorded voice messages, SMS text messages, and fax machines
  • Specifies several technical requirements for fax machines, autodialers, and voice messaging systems (e.g., requiring identification and contact information of the sender)
E-Sign Act
  • The E-Sign Act provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce
  • Allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent
  • The E-Sign Act is invoked extensively throughout various other rules and regulations enforced by the FDIC, CFPB, FTC, and other government agencies as a framework for obtaining end consumer consents
Fair Credit Reporting Act (FCRA) - Regulation V
  • The FCRA (Regulation V) is a regulatory framework for the furnishing, use, and disclosure of information in reports associated with credit, insurance, employment, and other decisions made about consumers
  • Imposes a number of obligations on entities that qualify as "consumer reporting agencies" and on persons who use consumer report information (users) or furnish information to consumer reporting agencies (furnishers)
  • Requires that furnishers ensure the accuracy of the data placed in the consumer reporting system
  • Prohibits the use of consumer reports for impermissible purposes, and requires users of consumer reports to provide certain disclosures to consumers
  • Limits certain information sharing between affiliated companies
Right to Financial Privacy Act (RFPA)
  • The RFPA establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer's financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object. The RFPA imposes related limitations and duties on financial institutions prior to the release of information requested by federal authorities.
  • The RFPA has been amended several times in recent years to permit greater access without customer notice to customer information requested for criminal law enforcement purposes and for certain intelligence activities.
Children's Online Privacy Protection Act (COPPA)
  • The primary goal of COPPA is to place parents in control over what information is collected from their young children online.
  • COPPA protects children under age 13 and applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children.
  • Also applies to operators of general audience websites or online services in some cases.
  • Obligations include disclosures, opt-in rights for parents, etc. Parental rights under COPPA parallel aspects of GDPR (this reinforces the general guidance that compliance with GDPR is helpful to achieve universal privacy compliance within the U.S. and globally)
Payment Card Industry Standards
  • The payment card industry (PCI) establishes, monitors, and enforces a wide range of standards through the PCI Security Standards Council (PCI Council). These standards govern the processing of payment cards and cardholder data through the member credit card networks. It is important to note that enforcement of compliance with PCI DSS and determination of any non-compliance penalties are carried out by the individual payment networks and not by the PCI Council.

The standards developed and maintained by the PCI Council include the following:

  • The Payment Card Industry Data Security Standard for Merchants & Processors (PCI DSS) is a global data security standard that applies to entities involved in the processing of payment cards through the member credit card networks. PCI DSS covers a wide range of vendors, merchants, banks, and payment processors, and addresses 12 categories of security requirements
  • The Payment Application Data Security Standard (PA-DSS) is a global standard that parallels PCI DSS and applies to software developers and integrators of applications that store, process, or transmit cardholder data as part of payment authorization or settlement. PA-DSS covers 14 categories of security requirements. It is important for e-commerce merchants and retailers to realize that use of a PA-DSS compliant application by itself does not make the merchant or retailer automatically PCI DSS-compliant because the PA-DSS application must be implemented into a PCI DSS compliant environment and must follow a PA-DSS Implementation Guide provided by the application vendor
  • The PCI Point-to-Point Encryption (P2PE) Standard facilitates the development, approval, and deployment of PCI-approved P2PE solutions that increase the protection of cardholder data by encrypting data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment. The P2PE Standard is directed at P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions
  • The PCI PIN Security Standard establishes a set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. The PCI PIN Security requirements address seven control objectives that are directed at acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the cardholder accounts. The individual payment brands monitor and enforce compliance with this standard
  • The Pin Transaction Security (PTS) Hardware Security Module (HSM) Standard establishes requirements for designing HSMs to meet the security needs of the payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs. The PTS HSM Standard provides vendors with a list of all security requirements against which their products will be evaluated in order to obtain PCI PTS HSM device approval
  • The PCI PIN Security Requirements Standard establishes requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. These PIN Security Requirements include 33 requirements organized into seven control objectives. The PIN Security Requirements apply to acquiring institutions and agents responsible for PIN transaction processing on cardholder accounts, but do not apply to issuers. The PIN Security Requirements identify minimum security requirements for PIN-based interchange transactions, outline the minimum acceptable requirements for securing PINs and encryption keys, and protect cardholder PIN numbers
  • The PIN Transaction Security (PTS) Point of Interaction (POI) Standard provides vendors with a list of all the security requirements against which their product will be evaluated in order to obtain PCI PTS POI device approval. The PTS POI Standard applies to products in the following categories:
    • PED or UPT POI devices: Complete terminals that can be provided to a merchant “as-is” to undertake PIN-related transactions. This includes attended and unattended POS PIN-acceptance devices
    • Non-PIN acceptance POI devices evaluated for account data protection
    • Encrypting PIN pads that require integration into POS terminals or ATMs. Overall requirements for unattended PIN-acceptance devices currently apply only to POS devices and not to ATMs
    • Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers
  • The Card Production and Provisioning (CPP) Standard applies to the security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution. The CPP Standard applies to entities that: a) perform cloud-based or secure element (SE) provisioning services; b) manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or c) manage associated cryptographic keys. The CPP Standard does not apply to vendors who are only performing the distribution of secure elements
  • The PCI Card Production and Provisioning Physical Security (CPPPS) Requirements Standard applies to entities involved in payment card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The CPPPS Standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes: card manufacturing, chip embedding, personalization, storage, packaging, mailing, shipping or delivery, and fulfillment
  • The PCI Three-Domain Secure (3-D Secure, or 3DS) Standard defines a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. This standard is intended to support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, payment systems). The PCI 3DS Security Requirements applies to EMV 3-D Secure Core Components (ACS, DS, and 3DS Server) and perform certain functions defined in the EMV 3-D Secure Protocol and Core Functions Specification. The PCI Council maintains a set of related standards documents specifying the compliance requirements for entities involved with 3DS transactions, products, or services
  • Additional security requirements and assessment procedures for token service providers (EMV payment tokens). This standard establishes physical and logical security requirements and assessment procedures for token service providers that generate and issue EMV payment tokens. A token service provider is an entity that provides a token service comprised of the token vault and related processing, and has the ability to set aside licensed ISO BINS as token BINs to issue payment tokens for PANs
Payment Card Networks Rules
  • Visa, MasterCard, and other credit card network operators have established extensive rules that govern the processing, authorization, settlement, and other aspects of payment card processing. These rules apply to e-commerce merchants and retailers that accept payment cards online, via mobile apps, or in physical brick-and-mortar stores
  • These rules become more relevant for e-commerce business models that include recurring payment plans and/or aggressive card processing rules. For example, merchants using more sophisticated and aggressive card processing methods or working with vendors that specialize in card fund collection may see their chargeback rate increase towards 1 percent, in which case they may start to come under particular scrutiny from the card network brands, and may eventually even incur fines. Nevertheless, balancing more aggressive card processing programs with good business procedures and fair-but-firm collection practices can significantly increase the next profit margin for e-commerce merchants. It is important to consider other applicable laws and regulations for programs like these, however, including the UDAAP and UDAP frameworks overseen by the CFPB and FTC (see discussion above)
National Automated Clearing House Association (NACHA) Operating Rules in the U.S.

Single Euro Payments Area (SEPA) Regulation in Europe, implemented by Regulation (EU) No 260/2012 of the European Parliament dated March 14, 2012 and European Payments Council Rulebooks

  • The National Automated Clearing House Association (NACHA) administers the Automatic Clearing House (ACH) rules in the U.S.
    • The ACH Network connects U.S. banks, financial institutions, and a variety of IT vendors, and enables the movement of money and ACH data between them.
    • NACHA administers a set of operating rules for ACH payments, which define the roles and responsibilities of ACH network participants. These operating rules address issues similar to those covered by the card networks rules, including consumer disclosures, consents, payment processing rules, etc.
  • ACH transactions can include debit or credit payments, direct deposit of payroll, deposit of government and Social Security benefits, electronic mortgage and bill payments, online banking payments, person-to-person (P2P) and business-to-business (B2B) payments, etc.
  • NACHA transaction flows can involve the following:
    • An originator (e.g., a consumer or business), which initiates either a direct deposit or direct payment transaction using the ACH Network
    • ACH entries are entered and transmitted electronically
    • An originating depository financial institution (ODFI), which enters the ACH entry at the request of the originator
    • The ODFI may aggregate payments from customers and then transmit them in batches at regular, predetermined intervals to an ACH operator
    • ACH operators receive batches of ACH entries from the ODFI. The two current ACH operators are two central clearing facilities operated by the Federal Reserve and the NACHA
    • ACH transactions are sorted and made available by the ACH operator to the Receiving Depository Financial Institution (RDFI)
    • A receiver's account is debited or credited by the RDFI, according to the type of ACH entry. Receivers may include consumers and businesses
    • ACH credit transactions normally settle in one to two business days
    • ACH debit transactions normally settle in one business day
  • The European Payments Council (EPC), working with the European Commission, European Central Bank, and other European national and regional authorities, manages the Single Euro Payments Area (SEPA) electronic payments network in Europe.
  • The EPC focuses on four main SEPA regulatory frameworks, which cover electronic payment transactions across 34 European countries (both within individual countries and between countries):
    • SEPA Credit Transfer scheme
    • SEPA Instant Credit Transfer scheme
    • SEPA Direct Debit Core scheme
    • SEPA Direct Debit Business-to-Business scheme
  • In additional to managing SEPA, the EPC is also currently active in other areas of e-commerce in Europe, and therefore ongoing regulatory activity should be expected to occur in areas such as mobile payments, person-to-person remittances, e-invoicing, payment security, and card standardization.
Uniform Electronic Transaction Act (UETA - States)
  • UETA provides uniform rules at the state-level governing electronic commerce transactions. UETA parallels the E-Sign Act at the state level and establishes a legal foundation for the use of electronic communications in transactions where the parties have agreed to deal electronically. UETA validates and supports the use of electronic communications and records and places electronic commerce and paper-based commerce on the same legal footing
  • UETA rules are primarily for “electronic records and electronic signatures relating to transactions” that are not subject to the Uniform Commercial Code (UCC). But UETA rules do affect sale transactions under Articles 2 and 2A of the UCC. UETA 1) creates a uniform standard for validating online contracts; 2) provides for the validity of transferable records executed on line; and 3) creates consumer protections and safeguards.
  • In general, for a typical company involved in e-commerce or e-banking, complying with the E-Sign Act will inherently also achieve UETA compliance. But some subtle differences do exist and can become relevant in some less-common applications
Data privacy and security laws
  • E-commerce companies must also comply with extensive data privacy and data security legislation in the U.S. and around the world, which may be defined at the provincial level (e.g., Canadian provinces), national level (e.g., U.K., Germany, France), Federal level (e.g., HIPAA, RFPA), state level (e.g., California, New York), regional or common market level (e.g., GDPR within the European Community), or international level (e.g., U.S.-EU Privacy Shield)
  • It is also important to understand that a particular e-commerce transaction may be subject to multiple laws and regulations that relate to privacy or data security, and that some of those may establish conflicting requirements (e.g., data retention obligations under PCI DSS regulations v. California or GDPR privacy laws v. tax retention guidelines)
  • Companies operating in the telecommunications industry, both wired and wireless, are subject to additional legal and regulatory requirements in the U.S. and in other countries, which address such companies' fundamental role in acting as communication conduits both domestically and internationally.

The regulatory landscape outlined above shows that data privacy and security is a complex topic that affects e-commerce from multiple directions, particularly with respect to data analytics and data monetization, and these issues will be addressed in more detail in a future paper.

E. Conclusion: Some Thoughts About E-Commerce Business Models

As can be seen from Figure 2, the regulatory landscapes for both e-commerce and e-banking are extensive, and while they overlap to a large extent, each of them also includes material areas of specialized regulations that are independent. This paper identified a number of major regulatory frameworks applicable to e-commerce, and Part two of this paper will discuss e-banking regulations, and the interplay among blockchain, e-commerce, and e-banking. Here are some concluding remarks:

1. Earlier-Stage Companies and Compliance Obligations

For earlier-stage companies, a business model that covers both e-banking and e-commerce is likely to trigger significant compliance obligations in both areas. Not only would such compliance obligations be expensive and require significant resource allocation, but they could also negatively impact the growth of the business if compliance is not implemented thoughtfully, progressively, and in parallel with the business expansion.

For example, an e-commerce platform that allows consumers to purchase products or services via mobile apps or websites may also look like an excellent platform for enabling money transfer features among consumers or businesses. The new remittance functionality, however, would likely trigger new and significant compliance obligations, such as obligations under money remittance laws (both federal and state), and compliance with the Bank Secrecy Act and the USA Patriot Act (e.g., KYC/CIP compliance and customer due diligence, suspicious activity reporting, currency transaction reporting, and information sharing with FinCen). If the product and market support expansion, the company should definitely pursue the growth and expand in the new e-banking areas, but it must be cognizant of its new regulatory obligations and should plan accordingly. Also, the company should ensure at the design stage that its technology platform can support the requisite data collection and feature management prescribed by applicable laws. Changing a technology platform after wide consumer adoption to reactively implement regulatory requirements could be time consuming and expensive and could negatively impact operational reliability and customer satisfaction. As a general rule, when it comes to federal and state laws, doing first and asking for forgiveness later is a risky practice.

2. E-Banking v. E-Commerce Regulatory Burden

Overall, e-banking regulations tend to be more complicated and harder to implement than e-commerce regulations. Additionally, some financial services and products require an institution to obtain an operational bank charter, which may include authorization from a federal or state authority to operate as a bank, deposit insurance from the FDIC, minimum capital requirements, and other regulatory and compliance obligations. Consequently, from a regulatory compliance standpoint, it is generally easier for banks to expand into e-commerce than for commerce companies to add e-banking services. On the other hand, banks do not typically develop complex technology in-house, and therefore are generally cautious about developing e-commerce capabilities.

The net result is that business relationships between banks and e-commerce companies tend to be the fastest and most efficient way to grow into new areas for both types of entities. Such business relationships can be implemented as cross-referral relationships, joint ventures, strategic alliances, and complementary technology development and integration projects.

Implementing effective collaboration frameworks between omnicommerce companies and banks is not trivial, however, given fundamental differences between their business models and operating principles. For example:

  • Commerce companies tend to operate with short horizons, and expect frequent and ongoing technology and business model iterations and repositioning; in contrast, banks tend do plan for longer timeframes and are not set up to easily accommodate ongoing changes.
  • Omnicommerce companies are not used to significant regulation and they target light OPEX loading of their P&Ls for any activities that are not strictly involved in revenue generation, including for compliance; financial institutions, on the other hand, are used to heavy regulatory burden, plan accordingly, and expect that all of their vendors and business affiliates will operate within those regulatory frameworks.
  • Earlier stage companies are focused on growth and market expansion, and tend to look at each bank relationship as just another step in their drive towards wide industry penetration and market share leadership; in contrast, banks are risk averse and often favor corporate stability and management team maturity over pure technology capabilities when they evaluate their tech vendors and business affiliates.
  • Technology companies are understandably concerned about high liability and seek meaningful liability limitations in legal agreements with financial institutions; banks, on the other hand, are cognizant of their own high financial exposure to regulatory actions and consumer-level litigation, and therefore expect to divest much of their risk exposure to their suppliers and business affiliates.

As a result, business, operational, and legal teams working on engagements that bridge e-commerce and e-banking have to thoughtfully consider each other's expectations, needs and concerns, and must be creative to design win-win relationships that can achieve mutual goals over two-to-five-year timeframes while thoughtfully addressing relative liability and risks.

3. Data Analytics and Monetization

As shown in Figures 1 and 2, data is a fundamental operational block for both the e-commerce and e-banking. Both e-commerce and e-banking entities realized in the past few years that SKU-level and service-level transaction data is a key to increased customer satisfaction, revenue and customer stability, and improved economics.

The continuing erosion in traditional payment processing profit margins has led to a drive towards volume and consolidation in e-commerce, while looking at e-banking services as potential add-on revenue streams. In parallel, limited growth opportunities in the traditional banking space are leading banks to innovate and try to expand into e-commerce, either directly or through business relationships. A common factor for all of these entities is an increased drive towards deep data analytics that relies on SKU-level data in e-commerce and consumer-transaction records in e-banking. For example, accurate and detailed consumer-level data can enable behavioral profiling and improved digital offers and advertising in e-commerce, and can help financial institutions and banks individualize insurance risk assessment and lending offers, and effectively advertise other financial products and services.

The emergence of platforms that connect mobile apps to the cloud has meant that commerce companies and banks can find a common technology denominator capable of generating data immediately relevant to both e-commerce and e-banking. Consequently, technology is now offering an unprecedented opportunity for commerce companies and banks to work together, and the quest for SKU-level and service-level data and complementary revenue growth opportunities are powerful incentives to make those relationships work.

Data analytics and monetization, however, run quickly against a regulatory ecosystem that has grown more protective of consumers in the past few years, including a complex web of privacy laws promulgated by U.S. States and U.S. federal agencies, the Canadian Federal Government and Canadian provinces, the EU (e.g., GDPR), countries in APAC, and so on. In parallel with these privacy laws, we have a complex web of regulations enforced by U.S. federal agencies (e.g., FTC and CFPB), regulations enforced by the large payment card networks through direct card processing rules and through standards (e.g., PCI DSS), regulations enforced by NACHA for the ACH network, and so on. Further, banks and commerce companies remain subject to their underlying regulatory and compliance obligations, as outlined in Figure 2 above.

Consequently, joint business alliances must be designed and then managed to allow the parties to achieve a number of goals, both individually and together, including:

  • discharge each party's regulatory and compliance obligations;
  • allocate intelligently between the parties the obligation to obtain consumer consents based on current and projected direct nexus with the consumers;
  • allow each party to thoughtfully share data with the other party;
  • impose appropriate cross-party compliance responsibilities;
  • implement a level of operational separation for each party, both in terms of regulatory compliance and in terms of business growth and market segmentation;
  • protect core IP for each party while incentivizing joint innovation and technical collaboration;
  • address liability and risk allocation carefully; and
  • plan in advance for an eventual relationship wind-down.

4. E-Commerce Platforms

A small- and medium-sized business or enterprise merchant deploying an e-commerce platform that allows consumers or other businesses to purchase products or services is usually concerned with payment processing as a fundamental step in efficiently collecting revenue. That is certainly a critical concern at the initial stage. Choosing the right payment processor in terms of capabilities and geographic reach, pricing, and integration into the merchant's omnichannel platform are often the primary drivers of the selection and initial deployment of payment processing within e-commerce platforms. Those are, however, just the starting considerations that need to be addressed as merchants develop more sophisticated omnichannel stacks capable of acquiring customers with high conversion rates, dynamically optimize pricing, extend personalized digital offers, implement and manage effective loyalty programs, drive customers towards subscription models with recurring payments, collect actionable SKU-level data, analyze data to reduce revenue and customer churn, and eventually monetize data to generate additional direct and indirect revenue streams.

As companies implement more complex omnichannel layers in their e-commerce platforms, API integrations with external vendors and business affiliates increase in numbers and transaction volumes, and both issues of technical compatibility and regulatory compliance start to arise. A typical merchant has legal compliance obligations towards governmental authorities in multiple jurisdictions, contractual obligations towards both vendors and customers, and regulatory obligations towards industry organizations. A compliance program should include thoughtful propagation of regulatory obligations across the merchant's whole commercial chain, from suppliers to customers and back, coupled with effective deflection and reallocation of liability to avoid liability pooling within the merchant's organization. Additionally, optimization of contractual provisions with payment processors and other payment-related vendors (e.g., reserve accounts, settlement times, liability reallocation, etc.), implementation of complex cross-referral programs with other omnicommerce entities (e.g., residuals and cross-referral fees), and augmentation of insurance policies to cover regulatory risks and other contingencies on a global basis become important tools that allow merchants to increase their net profit margins while decreasing their risk profiles.

For merchants that rely on credit card payments for revenue generation, the regulatory obligations relating to PCI DSS compliance are well-known and can be largely divested to payment processors and other payment-related vendors. But the large body of regulatory provisions (e.g., Regulation E) and the comprehensive set of card processing rules enforced by the payment card networks (e.g., rules managing payment authorizations via APIs, aggressive management of revenue churn and card payment collections, increased chargeback rates, and other issues that arise for merchants that deploy sophisticated e-commerce platforms) are less known, and require careful thought on an ongoing basis.

The rules managed by the payment card networks become more relevant for e-commerce business models that include recurring payment plans and/or aggressive card processing rules. For example, merchants using more sophisticated and aggressive card processing methods or working with vendors that specialize in credit card fund collection may see their chargeback rate increase towards 1 percent, in which case they may start to come under increased scrutiny from the payment card network brands, and may eventually even incur fines and additional oversight. Nevertheless, balancing more aggressive card processing programs with good business procedures and fair-but-firm collection practices can significantly increase the net profit margin for e-commerce merchants. It is important to also consider other applicable laws and regulations for programs like these, including the UDAAP and UDAP frameworks overseen by the CFPB and FTC.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.