1. Terms of Service and
Privacy Policies

2. Readings
• ProCD v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996)
• Hill v. Gateway 2000, 105 F.3d 1147 (7th Cir. 1997)
• Specht v. Netscape, 306 F.3d 17 (2nd Cir. 2002)
• Register.com v. Verio, 356 F.3d 393 (2nd Cir. 2004)
• Hines v. Overstock, 668 F.Supp.2d 362 (EDNY 2009) (aff’d 2d Cir. 2010)
• Fteja v. Facebook, 841 F.Supp.2d 829 (SDNY 2012)
• Meyer v. Uber, 868 F.3d 66 (2nd Cir. 2017)

3. Contract Formation
• Offer
• Must contain essential terms of the agreement
• Acceptance
• Notice
• Opportunity to Reject
• Physical Manifestation of Assent
• Consideration
• Anything of value

4. Acceptance
• “By visiting and staying on this website you agree …”
• “By enrolling as a User on this website you agree …”
• “By clicking ‘I Agree’ you agree …”

5. Types of Agreements
Negotiated Shrinkwrap
Scroll-wrap
(?!)
Clickwrap
Sign-in Wrap
(?!)
Browsewrap
In order of enforceability – from most to least enforceable
Two parties bargain for the exchange of goods/services/cashTerms written on box or notice of terms visible on exterior of box and contained inside box or on softwareUser sent to terms and required to scroll through terms before presented with “I Agree” buttonUser sent to terms, but not required to scroll through them before presented with an “I Agree” buttonLink to terms provided next to “Sign Up” button, with instructions to “Please read the terms linked here
before you continue” or “By clicking ‘Sign Up’ you agree to the terms found here” – user is not required to
click through to terms before continuing in process
A link to the terms is provided near (though maybe not next to) the prompt to continue and user is not
prompted to engage with the terms in any manner

6. Terms of Service
• Set Expectations
• Definition of Service
• Process for acquiring service
• Customer Support
• Payment Terms
• Intellectual Property Rights of Company and/or Users
• Compliance Issues
• Limitation of Liability (Waiver of Warranties)
• Forum Selection and/or Arbitration

7. Terms of Service
• Terms of Service
• Terms of Use
• Software as a Service Agreement
• End User Agreement
• Platform Hosting Agreement
• Software Licensing Agreement
• Master Licensing Agreement (“MLA”)
• Pendant Licensing Agreements
• Master Service Agreement (“MSA”)
• Statement of Work (“SOW”)
• Service Level Agreement (“SLA”)

8. So What About Privacy Policies?
• Contract? No.
• Statutorily required to disclose collected information and how information
is being used
• COPPA (Children under 13)
• HIPAA (Protected Heath Information)
• California “Shine the Light”
• EU General Data Protection Regulation
• EU Safe Harbor
• Special agreement with Switzerland

9. Statutory Protection of Privacy
• COPPA – 15 USC 6501, et seq; 16 CFR 312
• Applies when: 1) Your website or online service is directed to children under
13, OR 2) Your website or online service is directed to a general audience, but
you have actual knowledge that you collect personal information from
children under 13.
• Sets out procedures for obtaining parental consent and storage of children’s
information

10. Statutory Protection of Privacy - HIPAA
• Covered Entity
• Health Care Provider, Health Plans, Health Care Clearinghouse
• Includes Business Associates: a person or entity that performs certain functions or activities that involve the
use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
• Content of the Notice
• How the covered entity may use and disclose Protected Health Information (“PHI”) about an individual.
• The individual’s rights with respect to PHI and how the individual may exercise these rights, including how the
individual may complain to the covered entity.
• The covered entity’s legal duties with respect to PHI, including a statement that the covered entity is required
by law to maintain the privacy of PHI.
• Whom individuals can contact for further information about the covered entity’s privacy policies.
• The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing
the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it
makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals.

11. California’s “Shine the Light” Act
• Applies if a business has an established relationship with a customer
and has within the immediately preceding calendar year disclosed
“personal information” to third parties, and if the business knows or
reasonably should know that the third parties used the personal
information for direct marketing purposes
• Allow users to opt-in or opt-out of information-sharing with third parties for
use in direct marketing; or,
• Any California user can request (once per year) information about personal
information disclosed to third parties

12. EU General Data Protection Regulation (GDPR)
• Applies to all companies processing and holding the personal data of
data subjects residing in the European Union, regardless of the
company’s location
• Any information related to a natural person or ‘Data Subject’, that can be
used to directly or indirectly identify the person.
• Organizations can be fined up to 4% of annual global turnover for
breaching GDPR or €20 Million.

13. EU General Data Protection Regulation (GDPR)
• Must appoint Data Protection Officer if engage in large-scale data collection
• 72-hour breach notification
• Right to Access – “the [data] controller shall provide a copy of the personal data,
free of charge, in an electronic format.”
• Right to be Forgotten – “have the data controller erase his/her personal data,
cease further dissemination of the data, and potentially have third parties halt
processing of the data.”
• Data Portability – “receive the personal data concerning them, which
they have previously provided in a 'commonly use and machine readable format'
and have the right to transmit that data to another controller.”
• Data Minimization – “hold and process only the data absolutely necessary for the
completion of its duties, as well as limiting the access to personal data to those
needing to act out the processing.”

14. TOS Best Practice
• Conspicuously present the TOS to the user prior to any payment (or
other commitment by the user) or installation of software (or other
changes to a user’s machine or browser like cookies, plug-ins, etc.);
• Allow the user to easily read and navigate all of the terms (i.e. be in a
normal, readable typeface with no scroll box);
• Provide an opportunity to print, and/or save a copy of, the terms;
• Offer the user the option to decline as prominently and by the same
method as the option to agree; and
• Ensure the TOS is easy to locate online after the user agrees.
https://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-service