Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Terms of Service and Privacy Policies


Published on

Law school class presentation on terms of service and privacy policies including GDPR and California Shine the Light Act.

Published in: Law
  • Login to see the comments

  • Be the first to like this

Terms of Service and Privacy Policies

  1. 1. Terms of Service and Privacy Policies
  2. 2. Readings • ProCD v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996) • Hill v. Gateway 2000, 105 F.3d 1147 (7th Cir. 1997) • Specht v. Netscape, 306 F.3d 17 (2nd Cir. 2002) • v. Verio, 356 F.3d 393 (2nd Cir. 2004) • Hines v. Overstock, 668 F.Supp.2d 362 (EDNY 2009) (aff’d 2d Cir. 2010) • Fteja v. Facebook, 841 F.Supp.2d 829 (SDNY 2012) • Meyer v. Uber, 868 F.3d 66 (2nd Cir. 2017)
  3. 3. Contract Formation • Offer • Must contain essential terms of the agreement • Acceptance • Notice • Opportunity to Reject • Physical Manifestation of Assent • Consideration • Anything of value
  4. 4. Acceptance • “By visiting and staying on this website you agree …” • “By enrolling as a User on this website you agree …” • “By clicking ‘I Agree’ you agree …”
  5. 5. Types of Agreements Negotiated Shrinkwrap Scroll-wrap (?!) Clickwrap Sign-in Wrap (?!) Browsewrap In order of enforceability – from most to least enforceable Two parties bargain for the exchange of goods/services/cashTerms written on box or notice of terms visible on exterior of box and contained inside box or on softwareUser sent to terms and required to scroll through terms before presented with “I Agree” buttonUser sent to terms, but not required to scroll through them before presented with an “I Agree” buttonLink to terms provided next to “Sign Up” button, with instructions to “Please read the terms linked here before you continue” or “By clicking ‘Sign Up’ you agree to the terms found here” – user is not required to click through to terms before continuing in process A link to the terms is provided near (though maybe not next to) the prompt to continue and user is not prompted to engage with the terms in any manner
  6. 6. Terms of Service • Set Expectations • Definition of Service • Process for acquiring service • Customer Support • Payment Terms • Intellectual Property Rights of Company and/or Users • Compliance Issues • Limitation of Liability (Waiver of Warranties) • Forum Selection and/or Arbitration
  7. 7. Terms of Service • Terms of Service • Terms of Use • Software as a Service Agreement • End User Agreement • Platform Hosting Agreement • Software Licensing Agreement • Master Licensing Agreement (“MLA”) • Pendant Licensing Agreements • Master Service Agreement (“MSA”) • Statement of Work (“SOW”) • Service Level Agreement (“SLA”)
  8. 8. So What About Privacy Policies? • Contract? No. • Statutorily required to disclose collected information and how information is being used • COPPA (Children under 13) • HIPAA (Protected Heath Information) • California “Shine the Light” • EU General Data Protection Regulation • EU Safe Harbor • Special agreement with Switzerland
  9. 9. Statutory Protection of Privacy • COPPA – 15 USC 6501, et seq; 16 CFR 312 • Applies when: 1) Your website or online service is directed to children under 13, OR 2) Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13. • Sets out procedures for obtaining parental consent and storage of children’s information
  10. 10. Statutory Protection of Privacy - HIPAA • Covered Entity • Health Care Provider, Health Plans, Health Care Clearinghouse • Includes Business Associates: a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. • Content of the Notice • How the covered entity may use and disclose Protected Health Information (“PHI”) about an individual. • The individual’s rights with respect to PHI and how the individual may exercise these rights, including how the individual may complain to the covered entity. • The covered entity’s legal duties with respect to PHI, including a statement that the covered entity is required by law to maintain the privacy of PHI. • Whom individuals can contact for further information about the covered entity’s privacy policies. • The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.
  11. 11. California’s “Shine the Light” Act • Applies if a business has an established relationship with a customer and has within the immediately preceding calendar year disclosed “personal information” to third parties, and if the business knows or reasonably should know that the third parties used the personal information for direct marketing purposes • Allow users to opt-in or opt-out of information-sharing with third parties for use in direct marketing; or, • Any California user can request (once per year) information about personal information disclosed to third parties
  12. 12. EU General Data Protection Regulation (GDPR) • Applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location • Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. • Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
  13. 13. EU General Data Protection Regulation (GDPR) • Must appoint Data Protection Officer if engage in large-scale data collection • 72-hour breach notification • Right to Access – “the [data] controller shall provide a copy of the personal data, free of charge, in an electronic format.” • Right to be Forgotten – “have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.” • Data Portability – “receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.” • Data Minimization – “hold and process only the data absolutely necessary for the completion of its duties, as well as limiting the access to personal data to those needing to act out the processing.”
  14. 14. TOS Best Practice • Conspicuously present the TOS to the user prior to any payment (or other commitment by the user) or installation of software (or other changes to a user’s machine or browser like cookies, plug-ins, etc.); • Allow the user to easily read and navigate all of the terms (i.e. be in a normal, readable typeface with no scroll box); • Provide an opportunity to print, and/or save a copy of, the terms; • Offer the user the option to decline as prominently and by the same method as the option to agree; and • Ensure the TOS is easy to locate online after the user agrees.