Connecticut Will Make You Disclose Personal Customer Data!
The Connecticut Department of Revenue Services (DRS) recently issued demand letters to many remote sellers requiring that they either: (a) provide electronic sales records for all individual sales shipped to a Connecticut address over the past three calendar years; or (b) register to collect and remit Connecticut sales and use tax. This action is consistent with statements made by DRS Commissioner, Kevin Sullivan, via a press release in March and more recently at a Federation of Tax Administrator’s (FTA) presentation on the topic two weeks ago. Sullivan’s comments at the FTA meeting indicated that state tax administrators “will move from hoping Congress will help” to taking action into their own hands.
For remote sellers with no physical presence in Connecticut that don’t wish to voluntarily collect and remit sales and use tax (consistent with the US Supreme Court’s precedent in Quill and Bellas Hess), they are given only one option–provide DRS with a semi-colon delimited text file containing 16 fields of data–including customer names, customer addresses, ship to addresses, item descriptions and quantities sold. But supplying such personal data about customers intrudes upon the privacy and First Amendment rights of the customer, and unconstitutionally deprives remote sellers of their property right in the data set without due process of law. Of equal concern, some sellers question whether DRS is appropriately limited in its ability to disclose or share the customer data it seeks.
First, disclosure of the records DRS is requesting from remote sellers would be a significant intrusion on their customers’ privacy. The records requested include disclosure of customer names, addresses, shipping state, sales price and specific product(s) purchased. This can be highly sensitive information. Merely linking a particular online retailer to a specific customer may reveal information about the customer’s health issues, political leanings, sexual orientation, personal tastes and financial circumstances. By collecting shipping addresses, DRS will learn when an individual has a gift purchase delivered to a different address, revealing what could be a personal (and highly private) relationship. Moreover, some sellers question whether Connecticut law adequately protects the confidentiality of the information DRS is attempting to collect, leaving the possibility that the information could be shared with other government agencies and potentially used for purposes other than collection of sales and use tax.
Second, for remote sellers that offer books, music, videos and other forms of expressive content, the DRS request violates the customers’ First Amendment protections. In 2010, a US District Court held that an online retailer’s North Carolina customers’ First Amendment rights were implicated by a similar content disclosure requirement on audit. See Amazon.com LLC v. Lay, 758 F. Supp. 2d 1154, 1169 (W.D. Wash. 2010). The First Amendment protects a buyer from having the expressive content of that buyer’s purchase of books, music and audiovisual material disclosed to the government. Thus, First Amendment rights are implicated when the government seeks disclosure of reading, listening and viewing habits. As a result, the North Carolina Department of Revenue was enjoined from requesting customer identifying information from the online retailer. The same prohibition upheld by the federal district court should apply to DRS here. Beyond the First Amendment, the Connecticut Constitution itself offers similar protections that speak against the state’s ability to obtain such information. See Conn. Const. art. I, §§ 4-5.
Third, Section 1 of the Fourteenth Amendment to the US Constitution and Article I, Section 8 of the Connecticut Constitution prohibit DRS from depriving any person of property without due process of law. The required disclosure by remote sellers of their proprietary list of Connecticut purchasers compromises the value of the customer list and deprives the disclosing retailer of its protected property right in the list without due process of law. For remote sellers, these lists are valuable, highly exclusive trade secrets, in which such retailers make a substantial investment and in which they have a protected property right. By forcing remote sellers to turn over their confidential customer lists and subsequently not having an obligation to protect the list from the public realm, DRS is depriving the remote sellers of valuable property without due process of law. Would the state be able to protect a customer list from a Freedom of Information Act (FOIA) request submitted by a remote seller’s competitor?
Last, but certainly not least, Connecticut law requires that each state agency “[m]aintain only that information about a person which is relevant and necessary to accomplish the lawful purposes of the agency.” Conn. Gen. Stat. Ann. § 4-193(e). The amount of information being required by DRS goes well beyond what is required to enforce Connecticut tax law. Some number of a remote seller’s customers undoubtedly paid use tax on their purchases. Ignoring that reality the DRS targets all sales to Connecticut consumers when they should instead be looking for information only on consumers who have not already paid the appropriate use tax. This broad fishing expedition is therefore not targeted to the agency’s necessary and appropriate role but is instead designed to burden the seller and cause remote sellers to register to collect and remit sales and use tax.
Practice Note: Remote sellers who receive communication from the DRS should evaluate their legal rights and obligations and take appropriate steps to protect their customers’ data. We encourage remote sellers to contact the authors should they be concerned about the course of action taken by the Connecticut DRS.