On December 14, 2016, President Obama signed into law the Better Online Ticket Sales Act of 2016. The BOTS Act prohibits circumventing a website’s security measures to acquire event tickets. It also restricts the reselling of tickets when the seller knows or should have known they were acquired through circumvention. Importantly, it empowers the Federal Trade Commission and the States to enforce the law, but does not provide a private right of action to consumers.

Prior to BOTS, ticket resellers would often swamp online ticket sales sites with programs and scripts designed to buy as many tickets as possible at the often low retail rates. Those resellers would then resell those tickets at inflated prices. The purpose of BOTS is to make that practice illegal. It also makes the resale of tickets obtained in such a manner illegal so long as the person selling either knew or should have known the tickets were obtained using illegal bots, or they participated in the acquisition of the tickets.

What is prohibited technically is “circumvention” of a “security measure, access control system, or other technological control or measure” on an online site that is “used by the ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posed online ticket purchasing order rules.” The language is quite broad. Any “person” who “circumvents” a “security measure” is violating the Act. The security measure doesn’t have to be particularly robust to trigger liability. And violating the Act does not appear to require the use of a bot, although using bots would certainly be captured. Conversely, there is nothing in the rule that prohibits the use of a bot so long as the bot follows the ticket purchasing order rules.

Ticket sellers should be cognizant of a few things. The Act is violated if there is a single circumvention of a stated ticket purchasing rule. So, if the rule is phrased in terms of maximum tickets per purchase, a bot could theoretically be programed to make multiple purchases of that maximum and not violate the Act. The security measure does not need to be robust. A vendor could require, for example, that a buyer certify that it will not resell the tickets at a price above the price at which it was purchased. If the purchaser had to click an agreement to that statement to proceed, and then proceeded to resell the ticket, it would violate the Act.

Granting enforcement rights to both the FTC and the States is likely designed to ensure that not only the big violators but the medium ones as well are captured. Violations too small to merit FTC resources could be attacked by the States. As the law is now in effect, ticket resellers who deploy bots should consider conducting an audit of their software and reviewing the sites they target. Ticket sellers should make sure their terms of use take into account the new statute and some of the loopholes that it creates.