Beancount.io LogoBeancount.io

Why Your Website's Chat Box Could Trigger State Income Tax in 20 States: PL 86-272 in the Internet Economy

11 min readMike ThriftMike Thrift
Why Your Website's Chat Box Could Trigger State Income Tax in 20 States: PL 86-272 in the Internet Economy

Imagine you sell phone cases out of a single warehouse in Texas. Your customers click "Buy Now" from a browser anywhere in the country, FedEx drops off the package, and that has been the extent of your contact with most states for years. Then a California auditor sends a letter saying you owe three years of corporate income tax — because your homepage has a chat widget and your shipping confirmation page drops a cookie that pings their state every time someone in Sacramento places an order.

If that sounds unfair, you are not alone. But the rules that protected mail-order sellers in 1959 were written for catalogs and traveling salespeople, not for cookies, JavaScript trackers, and 24/7 live chat. State revenue departments have noticed, and a federal law that once shielded most out-of-state sellers from state income tax is being aggressively narrowed by an obscure interstate compact and the states that follow it.

What Public Law 86-272 Actually Says

Public Law 86-272 is a short federal statute, enacted in 1959, that prohibits states from imposing a net income tax on an out-of-state business if the company's only in-state activity is the "solicitation of orders" for tangible personal property, provided two conditions are met:

  1. The orders are approved or rejected from outside the state.
  2. The orders, when approved, are filled by shipment from outside the state.

If you satisfy those rules, the state cannot tax your net income, even if you ship millions of dollars of goods to its residents every year.

Congress passed PL 86-272 after a 1959 Supreme Court decision, Northwestern States Portland Cement v. Minnesota, held that maintaining a sales office in a state created enough nexus for income tax. Industry pushback was intense — small manufacturers feared having to file in every state where they sent a salesperson — so Congress carved out a federal floor of protection that no state can drop below.

The Four Things That Will Break Your Immunity

PL 86-272 has always been narrower than people remember. Even before the internet, four limitations applied:

1. Tangible Personal Property Only

The shield protects sales of physical goods. It does not protect:

  • Software licenses
  • SaaS subscriptions
  • Streaming media
  • Cloud services
  • Professional services
  • Real property
  • Intangibles such as patents or trademarks

A SaaS company that has never shipped a single physical object has never been protected by PL 86-272. Many software founders assume they are immune from state income tax because they "have no nexus." They do — they just have a separate economic-nexus problem.

2. Solicitation of Orders Only

The Supreme Court spelled out the boundary in Wisconsin Department of Revenue v. William Wrigley, Jr., Co. (1992). Protected activities are limited to solicitation itself and activities that "serve no independent business function apart from their connection to the soliciting of orders." Free samples and advertising are fine. Repairs, training, credit investigation, and collection are not.

Wrigley lost its immunity in Wisconsin because its sales reps swapped stale gum from store shelves and supplied display racks. The Court called those activities independent business functions that exceeded mere solicitation.

3. Orders Approved From Outside the State

A salesperson in-state can take orders, but the home office outside the state must approve them. If an in-state employee has the authority to bind the company to a sale, immunity is lost.

4. Shipment From Outside the State

Inventory stored in a third-party warehouse inside the state — including Amazon FBA fulfillment centers — generally destroys immunity. So does drop-shipping from an in-state supplier. The federal law cares about where the goods physically come from, not just where you keep the books.

PL 86-272 also covers only net income taxes. It does not protect against:

  • Sales and use tax (post-Wayfair, this is now an economic-nexus question)
  • Gross receipts taxes (Washington B&O, Ohio CAT, Oregon CAT, Nevada Commerce Tax)
  • Franchise taxes based on net worth or capital
  • Local business license fees

The MTC's 2021 Revised Statement Changed Everything

The Multistate Tax Commission (MTC) is a compact of state revenue departments that issues model rules. In August 2021, it revised its long-standing "Statement of Information Concerning Practices of Multistate Tax Commission and Signatory States Under Public Law 86-272." The new version added a category of internet-era activities that, in the MTC's view, exceed solicitation and therefore destroy immunity.

Activities That Now Break Immunity (Per the MTC)

  • Post-sale customer service via electronic chat or email initiated from your website or app, where a representative answers questions about previously purchased products.
  • Soliciting and receiving online applications for non-sales positions, such as engineering jobs at your headquarters.
  • Placing internet cookies on in-state customer devices that gather information used to adjust production schedules, develop new products, or perform market research unrelated to making the current sale.
  • Remotely fixing or upgrading previously purchased products by transmitting code or other electronic instructions over the internet.
  • Offering and selling extended warranty plans to in-state customers.
  • Contracting with an in-state marketplace facilitator to facilitate sales to in-state customers, where the facilitator maintains in-state inventory.
  • Contracting with in-state customers to stream videos or music for a charge.
  • Selling digital goods or services that are downloaded by in-state customers (because these are not tangible personal property in the first place).

Activities That Remain Protected

  • A static website that displays product information and accepts orders.
  • Internet cookies whose only function is to remember items in a shopping cart, recall preferences, or otherwise facilitate the current online sale.
  • Telephone or email solicitation followed by out-of-state order approval.
  • Advertising on in-state media.

Which States Have Adopted the MTC Position?

The MTC statement has no force of law on its own — states must adopt it. As of early 2026, the following states have formally embraced the revised position through notices, regulations, or legislation:

  • California (Franchise Tax Board Technical Advice Memorandum 2022-01 and Publication 1050)
  • New York (TSB-M-23(1)C; effective for tax years beginning in 2023)
  • New Jersey (TB-108)
  • Oregon (administrative rule revision)
  • Minnesota (Revenue Notice 22-06)

Several other states are expected to follow, and some have already taken aggressive positions in audits without formal guidance. A handful of taxpayers have sued — American Catalog Mailers Association v. Franchise Tax Board in California is the most prominent — arguing that the FTB's interpretation conflicts with the federal statute. As of this writing, the litigation remains unresolved, and most multistate sellers are operating under uncertainty.

A Practical Audit Checklist for Your Website

If you sell tangible goods and have been relying on PL 86-272 in MTC-adopting states, walk through your customer journey and ask whether each touchpoint stays within "mere solicitation":

  1. Live chat widgets. Does the chat help close the current sale only? Or do representatives also help with returns, refunds, technical support, and order status? Post-sale chat is the single most common nexus trigger flagged by California auditors.
  2. Cookies and analytics scripts. What data do you collect, and what do you do with it? Cart-recovery cookies that only support the current sale are safe. A pixel that feeds product-development analytics is not.
  3. Mobile app updates. If your app pushes firmware updates or bug fixes to in-state users after the sale, the MTC treats that as remote repair.
  4. Marketplace facilitator inventory. Does Amazon, eBay, or Walmart hold your goods inside the state? You are no longer shipping from outside — you have lost immunity on shipment grounds alone.
  5. Warranty and extended-service plans. Selling these in-state is a separate revenue stream that the MTC treats as a non-protected activity.
  6. Job listings. Posting jobs at your headquarters on your "Careers" page that an in-state resident can apply for is protected. Posting an in-state job opening is not — but soliciting applications for non-sales positions anywhere is also flagged by the MTC.

If any answer raises a flag, you may have a filing obligation you did not know about.

Building a Defensible Record

Whether or not you ultimately register and file in MTC-adopting states, you need contemporaneous documentation of what your website actually does. Auditors increasingly request screenshots from prior years, JavaScript audits, and cookie inventories. If you cannot produce them, the state's version of events wins.

Bookkeeping has a quieter but critical role here. Accurate per-state revenue tracking — by ship-to address, not just billing address — lets you size the exposure quickly and decide whether to file. When a state opens an audit, the first request is usually three to six years of sales data broken out by jurisdiction. Companies that cannot produce that cleanly often settle for more than they owe simply because they cannot defend a smaller number.

Companies that wait until the audit letter arrives also miss the chance to use a voluntary disclosure agreement (VDA), which most states offer to first-time filers. A VDA typically limits the look-back period to three or four years, waives penalties, and lets the company come into compliance quietly. Once an auditor reaches out, that option closes.

Common Mistakes Multistate Sellers Make

Treating PL 86-272 as one-size-fits-all. The statute only addresses net income tax. Sales tax, gross receipts taxes, and franchise taxes all have their own nexus rules. Many companies are compliant for income tax but blissfully ignoring six-figure sales tax exposure.

Confusing physical-presence and economic nexus. South Dakota v. Wayfair (2018) abolished the physical-presence rule for sales tax. The states have since moved toward economic-nexus thresholds for income tax as well — $500,000 of in-state sales is a typical trigger. PL 86-272 is a federal override for income tax, but the threshold question (is there nexus at all?) is now answered by sales, not by inventory.

Assuming SaaS is protected. It never was. If your business is a hybrid product/software company, the software side has been creating nexus from day one.

Ignoring market-based sourcing. Even if you owe income tax in a state, the apportionment formula matters. Most states now source service revenue to the customer's location ("market sourcing") rather than the seller's. That can shift millions of dollars of taxable income from a low-tax home state to a high-tax destination.

Forgetting franchise and gross-receipts taxes. A protected business in California still owes the $800 minimum franchise tax once it is doing business in the state. Washington B&O tax applies to gross receipts regardless of income, with economic nexus thresholds as low as $100,000.

What to Do Right Now

Step one is a nexus study covering every state where you have meaningful sales. Most multistate CPA firms can run one in two to four weeks. The output is a matrix: for each state, the dollar exposure, the protected vs. unprotected analysis, and a recommended action (file going forward, pursue a VDA, or do nothing).

Step two is a website audit, ideally conducted before any state contacts you. Document the cookies you set, the activities your chat reps perform, your fulfillment chain, and your warranty offerings. Keep evidence in version control or screenshots dated to the relevant tax year.

Step three is registering and filing in states where you have clear nexus and unprotected activities. Filing late is much cheaper than being assessed under audit, and most states will work out installment plans for back-tax liabilities.

Step four is changing the website where the cost-benefit favors removing exposure rather than filing. Disabling post-sale chat in certain states or moving analytics cookies off the site entirely may be cheaper than filing a state income tax return for years.

Keep Your Multistate Records Audit-Ready

Multistate nexus questions live or die on the quality of your underlying books. Plain-text accounting with Beancount.io gives you complete, auditable records of every sale by jurisdiction, every reconciliation, and every assumption you made — all in human-readable files you can version-control, diff, and produce on demand. Get started for free and put your financial data on a foundation that holds up when a state auditor starts asking pointed questions about 2023.