An overview on best practices when drafting enforceable website Terms of Use and Privacy Policies focusing on the presentation of Terms of Use and acceptance methods, as well as special considerations and disclosures required for Privacy Policies under California and Federal law.
Best practices terms of use and privacy policies (00075636x c0cb4)
1. BEST PRACTICES: TERMS OF USE
AND PRIVACY POLICIES
Royse Law Firm, PC
1717 Embarcadero Road
Palo Alto, CA 94303
www.rroyselaw.com
Heidi Klein
650‐521‐5748
hklein@rroyselaw.com
October 12, 2015
3. ENFORCEABILITY ‐ BROWSEWRAP
• Nguyen v. Barnes & Noble, Inc., (9th Cir. Aug. 18, 2014) enforceability
depends on whether user has actual or constructive knowledge of the
Terms
– Courts have consistently enforced browsewrap where users had actual notice
of terms.
– Inquiry Notice: Terms must be sufficiently evident to make a reasonably
prudent user aware of their existence.
• General design of the website;
• Whether the link to the Terms is conspicuous (visibility/placement of the link); and
• Whether there are any other notices provided to the user regarding the Terms
• Generally…
– Inconspicuously placed Terms tucked away or buried in bottom of page
unenforceable
– Multi‐step process through non‐obvious links to locate or access Terms
unenforceable
– Courts have been found it sufficient where websites implement explicit textual
notice that continued use will act as acceptance and consent to Terms
3
4. PRESENTATION/ACCEPTANCE
• Four Types of Electronic Adhesion Contracts (Berkson v. Gogo LLC
and GoGo Inc.)
– Browsewrap agreements ‐‐ provide that the user gives assent to the terms
merely by using the site.
– Clickwrap agreements ‐‐ require a user to affirmatively click a box on the
website acknowledging awareness of and agreement to the terms of the
agreement before he or she is allowed to proceed with further use of the
website.
– Scrollwrap agreements ‐‐ require a user to physically scroll through an
internet agreement and click on a separate "I agree" button in order to agree
to the terms and conditions of the host website.
– Sign‐in‐wrap agreements ‐‐ do not require the user to click on a box showing
acceptance of the "terms of use," but instead includes a statement like “By
clicking 'NEXT' I agree to the terms of use and privacy policy."
4
5. ACCEPTANCE ‐ ELIGIBILITY
• Legally competent to accept the Terms of Use
– 18 years or older
– Mentally competent
• Include provision that includes representations and
warranties by user and website provider’s right to
terminate/no obligation:
– (e.g. “If for any reason, we, in our sole discretion, believe you do not meet the
eligibility requirements set forth above, we reserve the right, without
provision of any notice to you to terminate your account and the Terms. If you
do not meet the eligibility requirements as set forth above, we have no
obligations to you under the Terms.”)
5
7. MATERIAL TERMS
• Must be CLEAR and CONSPICUOUS
• Court in Berkson : TOU must clearly draw attention to material terms
that would alter what a reasonable consumer would understand to be
default rights in an online transaction
• Arbitration Clause
– Include clear language at beginning of TOU putting user on notice:
• (e.g., THESE TERMS CONTAIN AN AGREEMENT TO ARBITRATE IN SECTION 10
BELOW, WHICH WILL REQUIRE YOU TO SUBMIT CLAIMS YOU HAVE AGAINST THE
COMPANY TO BINDING AND FINAL ARBITRATION
• Governing Law/Venue
• Restrictions on Class Actions
• Payment Terms (auto‐renewal)
7
8. E‐COMMERCE/SOCIAL MEDIA
• E‐Commerce Website
– Payment Terms (subscription, auto‐renewal)
– Disclaimers/Liability
• Limits of Jurisdictional Application
• Social Media Platform
– User Generated Content (UGC)
– License to use UGC (avoid assignment/ownership language)
– Prohibited Content (offensive, violent, spam, infringing content,
minors)
• DMCA Provision
– Must register with the Copyright Office
8
11. DECEPTIVE TRADE PRACTICES
11
• Breach of a promise is a “deceptive” practice.
• In the Matter of GeoCities, Inc., FTC File No. 982‐3015 (Feb. 12, 1999)
– Online community where uses could maintain personal home pages.
– GeoCities promised it would not distribute or sell any collected information.
– FTC alleged GeoCities misrepresented how it would use information collected from users by
reselling the information to third parties, which was in violation of GeoCities’ Privacy Policy.
• In the Microsoft, Corp., FTC File No. 012‐2340 (Dec. 24, 2002)
• Microsoft made claims about the high level of security used to protect personal and
financial information collected through its “Passport” website service that allowed users to
use a single sign‐in for multiple web services.
• FTC alleged that these “high‐level security” representations were misleading, because
Microsoft’s vendors and business partners controlled the personal information, and not
Microsoft itself.
12. UNFAIR TRADE PRACTICES
12
• Practice is “unfair” where the injury caused is (1) substantial, (2)without
offsetting benefits, and (3) one that consumers cannot reasonably avoid.
• In the Matter of Gateway Learning Corp., FTC File No. 042‐3047 (Sept. 17, 2004)
– Privacy Policy stated it would not rent, sell, or loan any personal information without user
consent and would provide users with opportunity to opt‐out if practice changed.
– Gateway started to sell information and retroactively modified its Terms without providing
notice to users.
– FTC: Retroactive application of material changes to the Privacy Policy was an unfair trade
practice.
• In the Matter of BJ’s Wholesale Club, Inc., FTC File No. 042‐3160 (Sept. 23, 2005)
• BJ’s failed to encrypt personal and financial information and failed to secure wireless
networks to prevent unauthorized access.
• Failing to implement basic security controls to protect consumer information alone
constitutes an enforceable unfair trade practice, without any need for FTC to allege
deception.
17. SPECIAL REQUIREMENTS
• Children’s Online Privacy Act (COPPA)
– PII from children under the age of 13, COPPA regulations may apply
• California Civil Code § 1798.83 “Shine the Light” Law
– California residents permitted to request information regarding the
disclosure of their PII by online service providers to third parties for the
third parties’ direct marketing purposes.
• Do Not Track (DNT) (AB 270 of 2013) “Tracking Transparency Law”
– The law requires two new disclosures in the privacy policy of an
operator of a web site or online service:
• (1) the operator’s response to a browser DNT signal or to “other
mechanisms,” ‐‐ Required when website collects PII over time and across
third‐party websites
– can be satisfied by linking to program or policy that explains a users choice
about online tracking – www.allaboutdnt.com
• (2) the possible presence of other parties conducting online tracking
17
18. BEST PRACTICES
18
• Making Your Privacy Practices Public, Kamala D. Harris, California
Department of Justice
– Readability
• Use plain, straightforward language. Avoid technical or legal jargon.
• Use a format that makes the policy readable, such as a layered format
– Online Tracking/Do Not Track
• Make it easy for a consumer to find the section in which you describe your
policy regarding online tracking by labeling it, for example: “How We
Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not
Track Disclosures.”
• Describe how you respond to a browser’s Do Not Track signal or to other
such mechanisms. This is more transparent than linking to a “choice
program.”
• State whether other parties are or may be collecting personally identifiable
information of consumers while they are on your site or service.