Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Terms of Use and Privacy Policy Best Practices


Published on

Description of the enforceability of terms of use, privacy policy requirements, best practices for online services and websites

Published in: Law
  • Be the first to comment

Terms of Use and Privacy Policy Best Practices

  1. 1. Terms of Use and Privacy Policy Best Practices ©2015 Royse Law Firm, P.C.
  2. 2. Terms of Use • Enforceable Terms of Use (TOU) • Acceptance; Eligibility ; Modifications/Changes • Enforceable Material Terms • Clear and Conspicuous Language • International Issues • Website Services • E-commerce Website • Social Media Platform
  3. 3. Enforceability - Acceptance • Four Types of Electronic Adhesion Contracts (Berkson v. Gogo LLC and GoGo Inc.) • Browsewrap agreements -- provide that the user gives assent to the terms merely by using the site. • Clickwrap agreements -- require a user to affirmatively click a box on the website acknowledging awareness of and agreement to the terms of the agreement before he or she is allowed to proceed with further use of the website. • Scrollwrap agreements -- require a user to physically scroll through an internet agreement and click on a separate "I agree" button in order to agree to the terms and conditions of the host website. • Sign-in-wrap agreements -- do not require the user to click on a box showing acceptance of the "terms of use," but instead includes a statement like “By clicking 'NEXT' I agree to the terms of use and privacy policy."
  4. 4. Enforcement – Eligibility • Legally competent to accept the TOU • 18 years or older • Mentally competent • Include representations and warranties by user and right to terminate/no obligation: • (e.g. If for any reason, we, in our sole discretion, believe you do not meet the eligibility requirements set forth above, we reserve the right, without provision of any notice to you to terminate your account and the Terms. If you do not meet the eligibility requirements as set forth above, we have no obligations to you under the Terms.)
  5. 5. Enforcement – Modifications/Changes • Blanket statement granting right to unilaterally change terms with or without notice -- generally unenforceable • Provide prominent notice on the website for any changes • In addition, Provide notice for material changes by sending notice to email address designated by user • Include effective date (e.g. “Last Updated: September 15, 2015)
  6. 6. Clear and Conspicuous Material Terms • Court in Berkson : TOU must clearly draw attention to material terms that would alter what a reasonable consumer would understand to be default rights in an online transaction • Arbitration Clause • Include clear language at beginning of TOU putting user on notice: • (e.g., THESE TERMS CONTAIN AN AGREEMENT TO ARBITRATE IN SECTION 10 BELOW, WHICH WILL REQUIRE YOU TO SUBMIT CLAIMS YOU HAVE AGAINST THE COMPANY TO BINDING AND FINAL ARBITRATION • Governing Law/Venue • Restrictions on Class Actions • Payment Terms (auto-renewal)
  7. 7. Website Services • E-Commerce Website • Payment Terms (subscription, auto-renewal) • Disclaimers/Liability • Limits of Application • Social Media Platform • User Generated Content (UGC) • License to use UGC (avoid assignment/ownership language) • Prohibited Content (offensive, violent, spam, infringing content, minors) • DMCA Provision — Must register with the Copyright Office to utilize
  8. 8. Best Practices • Clickwrap or Scrollwrap • Account Registration • Clear and Conspicuous Material Terms • Clear Notification of Modifications/Changes to Material Terms
  9. 9. Take Away • Analyze the client’s business, services, potential liabilities, what needs to be protected • Review samples of TOU with similar services • Customize
  10. 10. Privacy Policy • Federal Trade Commission (FTC) • Necessary to avoid unfair and deceptive trade practices • California Online Privacy Act of 2003 (CalOPPA) • First law in the nation with a broad requirement for privacy policies
  11. 11. California Online Privacy Act • Applies to operators of commercial websites and online services that collect personally identifiable information about Californians • Must conspicuously post a privacy policy • Must comply with the terms of the policy
  12. 12. “Online Service” • Websites • Ecommerce websites • Mobile apps (iOS, Android, Windows) • Desktop apps (Windows, Mac OS X) • Facebook apps • SaaS apps • Or any other platform where users would share their personal information.
  13. 13. “Personally Identifiable Information” • “Personally identifiable information” (PII) broadly defined: • information about a consumer collected online and maintained by the operator in an accessible form, including any of the following: • first and last name; • home or other physical address, including street name and name of a city or town; • e-mail address; • A telephone number; • social security number; • any other identifier that permits the physical or online contacting of a specific individual; and • information concerning a user that the online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
  14. 14. Privacy Policy Requirements • At the very least, you must include (Cal. Bus. & Prof. Code §§ 22575-22579): • Categories of PII collected through the site or service about users or visitors, • Categories of third parties with whom the operator may share the personally identifiable information, • Description of process for a user or visitor to review and request changes to his or her personally identifiable information collected through the site or service, if the operator maintains such a process, • Description of process for notifying users and visitors of material changes to the privacy policy, and • Effective date of the privacy policy.
  15. 15. Special Requirements • Children’s Online Privacy Act (COPPA) • PII from children under the age of 13, COPPA regulations may apply • California Civil Code § 1798.83 “Shine the Light” Law • California residents permitted to request information regarding the disclosure of their PII by online service providers to third parties for the third parties’ direct marketing purposes. • Do Not Track (DNT) (AB 270 of 2013) “Tracking Transparency Law” • The law requires two new disclosures in the privacy policy of an operator of a web site or online service subject to CalOPPA: • (1) the operator’s response to a browser DNT signal or to “other mechanisms,” -- Required when website collects PII over time and across third-party websites • can be satisfied by linking to program or policy that explains a users choice about online tracking – • (2) the possible presence of other parties conducting online tracking
  16. 16. Best Practices Making Your Privacy Practices Public, Kamala D. Harris, California Department of Justice • Readability • Use plain, straightforward language. Avoid technical or legal jargon. Use a format that makes the policy readable, such as a layered format • Online Tracking/Do Not Track • Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.” • Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program.” • State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.
  17. 17. Best Practices Cont. • Data Use and Sharing • Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service. • Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information. • Individual Choice and Access • Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information. • Accountability • Tell your customers whom they can contact with questions or concerns about your privacy policies and practices.
  18. 18. Best Practices Cont. • In Addition… • Incorporate by reference into the TOU to reduce risk/liability without over complicating Privacy Policy • Obtain clear consent from user (“By submitting PII through the website you agree to the terms of this Privacy Policy and you expressly consent to the collection, use and disclosure of your PII in accordance with this Privacy Policy”) • Implement reasonable security measures and explain such measures in the Privacy Policy
  19. 19. Take Away • Analyze and fully understand the data collection and retention activities of the client • Carefully craft the privacy policy to adequately, clearly, and conspicuously explain privacy practices • Implement reasonable data security measures (encryption at the very least) • Provide opt-in consent when changing the way personal data is collected and/or used • Most important of all — adhere to the privacy policy