An overview on best practices when drafting enforceable website Terms of Use and Privacy Policies focusing on the presentation of Terms of Use and acceptance methods, as well as special considerations and disclosures required for Privacy Policies under California and Federal law.

1. BEST PRACTICES: TERMS OF USE
AND PRIVACY POLICIES
Royse Law Firm, PC
1717 Embarcadero Road
Palo Alto, CA 94303
www.rroyselaw.com
Heidi Klein
650‐521‐5748
hklein@rroyselaw.com
October 12, 2015

2. TERMS OF USE OVERVIEW
• Enforceability
• Presentation
• Acceptance
• Modification/Changes
• Material Terms
• E‐Commerce Websites and Social Media Platforms
2

3. ENFORCEABILITY ‐ BROWSEWRAP
• Nguyen v. Barnes & Noble, Inc., (9th Cir. Aug. 18, 2014) enforceability
depends on whether user has actual or constructive knowledge of the
Terms
– Courts have consistently enforced browsewrap where users had actual notice
of terms.
– Inquiry Notice: Terms must be sufficiently evident to make a reasonably
prudent user aware of their existence.
• General design of the website;
• Whether the link to the Terms is conspicuous (visibility/placement of the link); and
• Whether there are any other notices provided to the user regarding the Terms
• Generally…
– Inconspicuously placed Terms tucked away or buried in bottom of page
unenforceable
– Multi‐step process through non‐obvious links to locate or access Terms
unenforceable
– Courts have been found it sufficient where websites implement explicit textual
notice that continued use will act as acceptance and consent to Terms
3

4. PRESENTATION/ACCEPTANCE
• Four Types of Electronic Adhesion Contracts (Berkson v. Gogo LLC
and GoGo Inc.)
– Browsewrap agreements ‐‐ provide that the user gives assent to the terms
merely by using the site.
– Clickwrap agreements ‐‐ require a user to affirmatively click a box on the
website acknowledging awareness of and agreement to the terms of the
agreement before he or she is allowed to proceed with further use of the
website.
– Scrollwrap agreements ‐‐ require a user to physically scroll through an
internet agreement and click on a separate "I agree" button in order to agree
to the terms and conditions of the host website.
– Sign‐in‐wrap agreements ‐‐ do not require the user to click on a box showing
acceptance of the "terms of use," but instead includes a statement like “By
clicking 'NEXT' I agree to the terms of use and privacy policy."
4

5. ACCEPTANCE ‐ ELIGIBILITY
• Legally competent to accept the Terms of Use
– 18 years or older
– Mentally competent
• Include provision that includes representations and
warranties by user and website provider’s right to
terminate/no obligation:
– (e.g. “If for any reason, we, in our sole discretion, believe you do not meet the
eligibility requirements set forth above, we reserve the right, without
provision of any notice to you to terminate your account and the Terms. If you
do not meet the eligibility requirements as set forth above, we have no
obligations to you under the Terms.”)
5

6. MODIFICATIONS/CHANGES
• Blanket statement granting right to unilaterally change terms
with or without notice ‐‐ generally unenforceable
• Provide prominent notice on the website for any changes
• In addition, provide notice for material changes by sending
notice to email address designated by user
• Include effective date (e.g. “Last Updated: September 15,
2015”)
6

7. MATERIAL TERMS
• Must be CLEAR and CONSPICUOUS
• Court in Berkson : TOU must clearly draw attention to material terms
that would alter what a reasonable consumer would understand to be
default rights in an online transaction
• Arbitration Clause
– Include clear language at beginning of TOU putting user on notice:
• (e.g., THESE TERMS CONTAIN AN AGREEMENT TO ARBITRATE IN SECTION 10
BELOW, WHICH WILL REQUIRE YOU TO SUBMIT CLAIMS YOU HAVE AGAINST THE
COMPANY TO BINDING AND FINAL ARBITRATION
• Governing Law/Venue
• Restrictions on Class Actions
• Payment Terms (auto‐renewal)
7

8. E‐COMMERCE/SOCIAL MEDIA
• E‐Commerce Website
– Payment Terms (subscription, auto‐renewal)
– Disclaimers/Liability
• Limits of Jurisdictional Application
• Social Media Platform
– User Generated Content (UGC)
– License to use UGC (avoid assignment/ownership language)
– Prohibited Content (offensive, violent, spam, infringing content,
minors)
• DMCA Provision
– Must register with the Copyright Office
8

9. TAKE AWAY
• Analyze the client’s business, services, potential liabilities
• Review samples of TOU with similar services
• Customize
• Implement:
– Clickwrap or Scrollwrap
– Account Registration
– Clear and Conspicuous Material Terms
– Clear Notification of Modifications/Changes to Material Terms
9

10. PRIVACY POLICIES
• Federal Trade Commission (FTC)
– Necessary to avoid unfair and deceptive trade practices
• California Online Privacy Protection Act of 2003
(CalOPPA)
– First law in the nation with a broad requirement for privacy
policies
10

11. DECEPTIVE TRADE PRACTICES
11
• Breach of a promise is a “deceptive” practice.
• In the Matter of GeoCities, Inc., FTC File No. 982‐3015 (Feb. 12, 1999)
– Online community where uses could maintain personal home pages.
– GeoCities promised it would not distribute or sell any collected information.
– FTC alleged GeoCities misrepresented how it would use information collected from users by
reselling the information to third parties, which was in violation of GeoCities’ Privacy Policy.
• In the Microsoft, Corp., FTC File No. 012‐2340 (Dec. 24, 2002)
• Microsoft made claims about the high level of security used to protect personal and
financial information collected through its “Passport” website service that allowed users to
use a single sign‐in for multiple web services.
• FTC alleged that these “high‐level security” representations were misleading, because
Microsoft’s vendors and business partners controlled the personal information, and not
Microsoft itself.

12. UNFAIR TRADE PRACTICES
12
• Practice is “unfair” where the injury caused is (1) substantial, (2)without
offsetting benefits, and (3) one that consumers cannot reasonably avoid.
• In the Matter of Gateway Learning Corp., FTC File No. 042‐3047 (Sept. 17, 2004)
– Privacy Policy stated it would not rent, sell, or loan any personal information without user
consent and would provide users with opportunity to opt‐out if practice changed.
– Gateway started to sell information and retroactively modified its Terms without providing
notice to users.
– FTC: Retroactive application of material changes to the Privacy Policy was an unfair trade
practice.
• In the Matter of BJ’s Wholesale Club, Inc., FTC File No. 042‐3160 (Sept. 23, 2005)
• BJ’s failed to encrypt personal and financial information and failed to secure wireless
networks to prevent unauthorized access.
• Failing to implement basic security controls to protect consumer information alone
constitutes an enforceable unfair trade practice, without any need for FTC to allege
deception.

13. CalOPPA
13
• CalOPPA:
– Applies to operators of commercial websites and online
services that collect personally identifiable information
about California residents
– Must conspicuously post a privacy policy
– Must comply with the terms of the policy

14. ONLINE SERVICE
14
• Websites
• Mobile apps (iOS, Android, Windows)
• Desktop apps (Windows, Mac OS X)
• Facebook apps
• SaaS apps
• Any other platform where users would share their
personal information

15. PERSONALLY IDENTIFIABLE INFORMATION
• “Personally identifiable information” (PII) broadly defined as information
about a consumer collected online and maintained by the operator in an
accessible form, including any of the following:
• first and last name;
• home or other physical address, including street name and name of a city
or town;
• e‐mail address;
• A telephone number;
• social security number;
• any other identifier that permits the physical or online contacting of a
specific individual; and
• information concerning a user that the online service collects online from
the user and maintains in personally identifiable form in combination with
an identifier described in this subdivision.
15

16. REQUIREMENTS
16
• At the very least, you must include (Cal. Bus. & Prof. Code §§
22575‐22579):
– Categories of PII collected through the site or service about users or visitors,
– Categories of third parties with whom the operator may share the personally
identifiable information,
– Description of process for a user or visitor to review and request changes to his or
her personally identifiable information collected through the site or service, if the
operator maintains such a process,
– Description of process for notifying users and visitors of material changes to the
privacy policy, and
– Effective date of the privacy policy.

17. SPECIAL REQUIREMENTS
• Children’s Online Privacy Act (COPPA)
– PII from children under the age of 13, COPPA regulations may apply
• California Civil Code § 1798.83 “Shine the Light” Law
– California residents permitted to request information regarding the
disclosure of their PII by online service providers to third parties for the
third parties’ direct marketing purposes.
• Do Not Track (DNT) (AB 270 of 2013) “Tracking Transparency Law”
– The law requires two new disclosures in the privacy policy of an
operator of a web site or online service:
• (1) the operator’s response to a browser DNT signal or to “other
mechanisms,” ‐‐ Required when website collects PII over time and across
third‐party websites
– can be satisfied by linking to program or policy that explains a users choice
about online tracking – www.allaboutdnt.com
• (2) the possible presence of other parties conducting online tracking
17

18. BEST PRACTICES
18
• Making Your Privacy Practices Public, Kamala D. Harris, California
Department of Justice
– Readability
• Use plain, straightforward language. Avoid technical or legal jargon.
• Use a format that makes the policy readable, such as a layered format
– Online Tracking/Do Not Track
• Make it easy for a consumer to find the section in which you describe your
policy regarding online tracking by labeling it, for example: “How We
Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not
Track Disclosures.”
• Describe how you respond to a browser’s Do Not Track signal or to other
such mechanisms. This is more transparent than linking to a “choice
program.”
• State whether other parties are or may be collecting personally identifiable
information of consumers while they are on your site or service.

19. BEST PRACTICES CONT.
19
• Data Use and Sharing
• Explain your uses of personally identifiable information beyond what is
necessary for fulfilling a customer transaction or for the basic functionality of
an online service.
• Whenever possible, provide a link to the privacy policies of third parties with
whom you share personally identifiable information.
• Individual Choice and Access
• Describe the choices a user has regarding the collection, use and sharing of his
or her personal information.
• Accountability
• Clearly tell users whom they can contact with questions or concerns about
your privacy policies and practices.

20. BEST PRACTICES CONT.
20
• In Addition…
• Incorporate by reference into the TOU to include risk allocation provisions
without overcomplicating Privacy Policy
• Obtain clear consent from user (“By submitting PII through the website you
agree to the terms of this Privacy Policy and you expressly consent to the
collection, use and disclosure of your PII in accordance with this Privacy
Policy”)
• Implement reasonable security measures and explain those measures in the
Privacy Policy

21. TAKE AWAY
21
• Analyze and fully understand the data collection and retention activities of
the client
• Carefully craft the privacy policy to adequately, clearly, and conspicuously
explain privacy practices
• Implement reasonable data security measures (encryption at the very least
for personal/financial information)
• Provide opt‐in consent when changing the way personal data is collected
and/or used
• Most important of all — adhere to the privacy policy

22. 22
www.rroyselaw.com
PALO ALTO
1717 Embarcadero Road
Palo Alto, CA 94303
SAN FRANCISCO
135 Main Street
12th Floor
San Francisco, CA 94105