Jim Peiser - Establishing Optimal Terms of Service and Privacy Policies
1. Terms of Service &
Privacy Policies
Setting the Ground Rules for Your Site Through Legal Mumbo-Jumbo
james f. peiser, esq.
jp@jamespeiser.com
July 2, 2013
2. One quick note…
This presentation discusses general legal issues, but it does not constitute
legal advice in any respect, and is not the basis for an attorney-client
relationship. I’d ask that no reader / attendee act or refrain from acting
based on any information presented herein without seeking the advice of
counsel, and expressly disclaim liability for any action taken or not taken
based on the contents of this presentation.
Lawyers, am I right?
Seriously, though – this world moves fast, and occasionally the law keeps
up, especially with respect to the ever-evolving world of privacy. So some
of this information may get outdated quickly (or, because I don’t have an
army of researchers handy, may already be outdated – but I’ve taken
reasonable steps to have this not be the case).
3. “
”
It is the beginning of wisdom when you
recognize that the best you can do is
choose which rules you want to live by,
and it's persistent and aggravated
imbecility to pretend you can live without
any.
- Wallace Stegner
Terms of Service: Choosing Which Rules You Want to Live By
4. Terms of Service:
Just Another Contract, Really
Your Terms of Service is a contract between your company and the users of
your site/product/service.
Like any binding contract, it creates a set of mutual expectations and
obligations – that you will provide the service, and that the user will use the
service in accordance with the Terms.
Acting against that expectation – a breach of the contract – generally
would be grounds for terminating use of the service.
Terms should be narrowly tailored to your business – a hardware store
wouldn’t have a “raw or undercooked foods” warning sign
Compare some selected parts of the Terms of Service/Use of a couple of
well-known companies: TwitPic and Foursquare
5. Use or Registration = Agreement
“By using Twitpic.com, you signify that you have read,
understand and agree to be bound by these Terms and
conditions.”
Silent on amendment process, if any, for regular “users”
– separate government TOS includes language around
amendments
Unclear whether “use” is akin to “registration” or
includes passively accessing content (pictures)
“By registering for and/or using the Service in any manner,
including but not limited to visiting or browsing the Site, you
agree to all of the terms and conditions contained herein
("Terms of Use"), which also incorporate Foursquare's Privacy
Policy, Foursquare's Intellectual Property Policy,
Foursquare's Photo Guidelines, Foursquare's Venue Terms
and Conditions, Foursquare's API License Agreement and all
other operating rules, policies and procedures that may be
published from time to time on the Site by Foursquare, each
of which is incorporated by reference and each of which
may be updated by Foursquare from time to time without
notice to you in accordance with the terms set out under
the "Modification of Terms of Use" section below. In addition,
some services offered through the Service may be subject
to additional terms and conditions specified by Foursquare
from time to time; your use of such services is subject to
those additional terms and conditions, which are
incorporated into these Terms of Use by this reference.
These Terms of Use apply to all users of the Service,
including, without limitation, users who are contributors of
content, information, and other materials or services on the
Site, individual users of the Service, venues that access the
Service, and users that have a page on the Service.”
A bit more useful, if overly legalese-y
Be clear about the definitions of “use,” “registration,” etc.
6. Adults Only?
“Twitpic is concerned about the safety and
privacy of all its Users, especially children.
Therefore, children under the age of 13 are
not permitted to use Twitpic.com.”
You represent and warrant that if you are
an individual, you are of legal age to form a
binding contract, or that if you are
registering on behalf of an entity, that you
are authorized to enter into, and bind the
entity to, these Terms of Use and register for
the Service. The Service is not available to
individuals who are younger than 13 years
old. Foursquare may, in its sole discretion,
refuse to offer the Service to any person or
entity and change its eligibility criteria at
any time. You are solely responsible for
ensuring that these Terms of Use are in
compliance with all laws, rules and
regulations applicable to you and the right
to access the Service is revoked where
these Terms of Use or use of the Service is
prohibited and, in such circumstances, you
agree not to use or access the Site or
Services in any way.
• Set an age limit of at least 13 unless geared towards kids.
• Avoid the “Columbia House” problem.
7. Content / User Content Etc.
“TwitPic reserves the right to remove any image for any
reason whatsoever. Specifically, any image uploaded
that is pornographic or offensive in nature (including
nudity, violence, sexual acts, or sexually provocative
images.), infringes upon copyrights not held by the
uploader, is illegal or violates any laws, will be
immediately deleted and the IP address of the
uploaded reported to authorities. Violating these terms
may result in termination of your ability to upload further
images. We reserve the right to ban any individual
uploader or website domain from using our services for
any reason.”
“We cannot be held liable for any damages. All data,
photographs, videos, messages, graphics, comments,
text, tags, or other materials ("Content"), are the sole
responsibility of the person from whom such Content
originated. You, and not Twitpic, are entirely responsible
for all Content that you upload, post, email, transmit or
otherwise make available through Twitpic. Twitpic does
not control the Content posted and does not
guarantee the accuracy or integrity of such Content.
“Twitpic shall not be liable for any statements or
conduct of any third party using the service. By using
Twitpic you may be exposed to Content that is
indecent, objectionable or offensive.
Going to quickly flip to the actual TOS, as there is a lot in
there about content.
Note the different flavors of Content specified
Never a bad idea to have different policies for different
types of content: “If the User Submission includes a
photograph, Foursquare's Photo Guidelines shall apply.”
Especially never a bad idea to spell out your (strongly
held, opposed-to-it) position on child pornography:
“Foursquare has a zero-tolerance policy against child
pornography, and will terminate and report to the
appropriate authorities any user who publishes or
distributes child pornography.”
Spell out control mechanisms and disclaim liability for problematic content –
but ensure that proper compliance methods established.
8. Termination
“TwitPic reserves the right to remove any
image for any reason whatsoever.
Specifically, any image uploaded that is
pornographic or offensive in nature
(including nudity, violence, sexual acts,
or sexually provocative images.),
infringes upon copyrights not held by the
uploader, is illegal or violates any laws,
will be immediately deleted and the IP
address of the uploaded reported to
authorities. Violating these terms may
result in termination of your ability to
upload further images. We reserve the
right to ban any individual uploader or
website domain from using our services
for any reason.”
“Foursquare may terminate your access
to all or any part of the Service and/or
Add-to Link at any time, with or without
cause, with or without notice, effective
immediately, which may result in the
forfeiture and destruction of all
information associated with your
membership. If you wish to terminate
your account, you may do so by
following the instructions on the Site. Any
fees paid hereunder are non-
refundable. All provisions of these Terms
of Use which by their nature should
survive termination shall survive
termination, including, without limitation,
ownership provisions, warranty
disclaimers, indemnity and limitations of
liability.”
Generally, you want to be able to terminate for any reason, but also
specify most-terminable violations
(NB: paid v. free, conversion, etc.)
9. Indemnity
“You agree to indemnify and hold Twitpic, its
officers and employees exempt from any claim
or demand, including reasonable attorneys'
fees, made by any third party due to or arising
out of Content you submit, transmit, post or
otherwise make available through Twitpic.”
“You shall defend, indemnify, and hold
harmless Foursquare, its affiliates and each of
its and its affiliates' employees, contractors,
directors, suppliers and representatives from all
losses, costs, actions, claims, damages,
expenses (including reasonable legal costs) or
liabilities, that arise from or relate to your use or
misuse of, or access to, the Site, Service,
Content, Add-to Link or otherwise from your
User Submissions, violation of these Terms of
Use, or infringement by you, or any third party
using the your account, of any intellectual
property or other right of any person or entity
(save to the extent that a court of competent
jurisdiction holds that such claim arose due to
an act or omission of Foursquare). Foursquare
reserves the right to assume the exclusive
defense and control of any matter otherwise
subject to indemnification by you, in which
event you will assist and cooperate with
Foursquare in asserting any available
defenses.”
If a user violates your terms and causes actual damage to your business,
ensure you have asserted your right to indemnification.
10. Miscellany
“You agree that regardless of any
statute or law to the contrary, any claim
or cause of action arising out of or
related to use of the Service or the Terms
of Service must be filed within one (1)
year after such claim or cause of action
arose or be forever barred.”
“Data mining, "scraping", and/or
unauthorized crawling of Twitpic by any
means is prohibited unless explicit
permission is given. Using any data from
Twitpic (including images, data from
images and/or users) that is not
available through authorized channels is
also prohibited unless explicit permission
is given. Storing, saving and/or retaining
images of any size is also prohibited.”
“Foursquare shall not be liable for any
failure to perform its obligations
hereunder where such failure results from
any cause beyond Foursquare's
reasonable control, including, without
limitation, mechanical, electronic or
communications failure or degradation
(including "line-noise" interference).
These Terms of Use are personal to you,
and are not assignable, transferable or
sublicensable by you except with
Foursquare's prior written consent.
Foursquare may assign, transfer or
delegate any of its rights and obligations
hereunder without consent. No agency,
partnership, joint venture, or
employment relationship is created as a
result of these Terms of Use and neither
party has any authority of any kind to
bind the other in any respect.”
11. Copyright Ownership and Licensing –
Probably the Most Important Part of your
Terms
Spell out your license that users grant you– along the lines of “By uploading
content, you grant to [Company] a non-exclusive, worldwide, royalty-free, sub-
licenseable and transferable license to use, reproduce, distribute, prepare
derivative works of, display, and perform the content”
Facebook: “non-exclusive, transferable, sub-licensable, royalty-free, worldwide
license to use any IP content that you post on or in connection with Facebook.
This IP License ends when you delete your IP content or your account unless
your content has been shared with others, and they have not deleted it.”
Of course, users might not like it, but they are free to walk away.
You could also grant users a [worldwide, non-exclusive, non-sublicensable, non-
transferable] license to use, modify and reproduce your own and your partners’
content, solely for personal use
If you have user-generated content, make sure you are very clear about UGC
ownership.
12. “
”
When it comes to privacy and
accountability, people always
demand the former for
themselves and the latter for
everyone else.
-David Brin
How to create a Privacy Policy that Works For People and Everyone Else
13. The Internet Is Still Not A Truck:
It’s a Series of Tubes, and Has Very Little Respect for Geographic Boundaries
Email Monitoring Laws:
CT: Conn. Gen. Stat.§ 31-48d
Prior written notice to all employees
required, advising of types of
electronic monitoring which may
occur.
Exception for suspected illegal
activity
DE: Del. Code § 19-7-705
Employer must give a one-time
written or electronic notice
before monitoring email or Internet
access or usage of an employee
Exceptions for maintenance and
court orders
Only applies to companies with a
“place of business” in Delaware
Misleading/False Privacy Policy
Laws:
NE: NE Statute § 87-302 (14)
It’s a “deceptive trade practice” to
“Knowingly makes a false or
misleading statement in a privacy
policy, published on the Internet or
otherwise distributed or published,
regarding the use of personal
information submitted by members
of the public.”
There’s also a bit about uninstalling
spyware & (I think?) P2P clients, but
that’s not an issue, right?
PA: 18 Pa. C.S.A. § 4107(a)(10)
Pretty much identical to Nebraska’s
14. California All The Way – PII & CA
S. 22577(a): The term "personally identifiable information" means individually identifiable
information about an individual consumer collected online by the operator from that individual
and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and
maintains in personally identifiable form in combination with an identifier described in this subdivision.
CA BUSINESS AND PROFESSIONS CODE SECTION 22575
(a) An operator of a commercial Web site or online service that collects personally identifiable
information through the Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously post its privacy policy on its
Web site, or in the case of an operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in
violation of this subdivision only if the operator fails to post its policy within 30 days after being
notified of noncompliance.
15. Back to 22575 For a Moment…
(b) The privacy policy required by subdivision (a) shall do all of the following:
(1) Identify the categories of personally identifiable information that the operator
collects through the Web site or online service about individual consumers who use or
visit its commercial Web site or online service and the categories of third-party persons
or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a process for an individual consumer who uses or visits its
commercial Web site or online service to review and request changes to any of his or
her personally identifiable information that is collected through the Web site or online
service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers who use or visit its
commercial Web site or online service of material changes to the operator's privacy
policy for that Web site or online service.
(4) Identify its effective date.
16. Seriously, California?
California also has a “Shine the Light Law” - CA Civil Code § 1798.83
Applies to companies that share any of 27 types of users’ PII with third parties for direct
marketing purposes.
Safe harbor: Under 20 employees
If you need to comply with this, be sure to place a link on your homepage that says “Your
Privacy Rights” or “Your California Privacy Rights”
Provide contact details for users who want further information
Respond to any such requests – don’t have a mailbox that goes unchecked for years
Need to have a brief statement explaining the law and how users can opt out of having PII
shared with direct marketers.
From Topps’ website: “If you are a California resident, you are entitled by law to request
certain information regarding Topps’ disclosure to third parties of personal information for
their direct marketing purposes. To make such a request, submit a written request to the
address listed in the Contact section below, or send an e-mail to
privacypolicy@topps.com, specifying that you seek your "California Customer Privacy
Notice." Please allow thirty days for a response.”
17. Oh, Massachusetts, You Too?
Data Protection in the US is highly fragmented – see federal laws like FCRP (Fair Credit
Reporting Act), HIPAA (Health Insurance Portability and Accountability Act ), VPPA (Video
Privacy Protection Act – applies to movie rentals, not ATM cameras. Yes, even Netflix
records).
In 2010, Massachusetts’ data protection law, 201 CMR 17.00, became effective; while
other states have enacted similar laws, this is almost certainly the most onerous.
Aimed at data security breaches, like TJX or Briar Group; puts onus on business that
collected PII / customer data.
“Personal Information” is limited to “a Massachusetts resident's first name and last name or
first initial and last name in combination with any one or more of the following data
elements that relate to such resident: (a) Social Security number; (b) driver's license
number or state-issued identification card number; or (c) financial account number, or
credit or debit card number, with or without any required security code, access code,
personal identification number or password, that would permit access to a resident’s
financial account”
If you’ve got a user in Massachusetts and you take credit cards, well… comply or risk
$5,000 fines, in addition to the embarrassment of a security breach.
Requires a “Written Information Security Program,” applicable to all records containing
personal information about a resident of the Commonwealth of Massachusetts.
Also, all your vendor contracts must specify compliance with MA laws.
18. You’re Better Than That
The California laws sets minimum standards that all online businesses should
adhere to as a matter of (a) compliance with respect to users in California
and (b) getting on the road to best practices.
Doing the bare minimum shouldn’t be enough for the savvy entrepreneur.
Whether or not you need a WISP, having well-defined policies in place will
go a long way towards establishing a solid culture of compliance.
Again, tailor your policies to your business – but consider how it might grow,
and don’t be caught flat-footed, well-begun being half-done.
It’s really not that complicated:
19. Essential Elements of Privacy Policy
What Information Do You Collect?
Registration / User-Supplied Information
Biographical information, email address, etc.
Include data collected through 3rd Party Login (OAuth - FB Connect, Twitter)
Automatically Collected
O/S, browser, geolocation, referral links, etc.
Again, even if third party (Google Analytics)
Cookies (or the like)
Disclose if you use.
20. Essential Elements of Privacy Policy
What Do You DO With Said Information?
Purpose of collection (i.e., customizing user experience, sales, etc.)
Do you share it? And do you share the PII or aggregate data?
Internal recipients as well as third parties, and why?
Law Enforcement – Look for this landscape to change soon…
Transfer protocol in the event of a major corporate event – i.e., a sale of the
company or bankruptcy
You take reasonable precautions with respect to security, etc.
How can users Change / Review stored information?
What Date was the policy last updated?
21. Essential Elements of Privacy Policy
California OPPA and Shine the Light elements
COPPA elements
European elements
22. Other Suggestions for Policy Drafting
Make it easy to read, use short sentences and prefer the active voice.
Include links to definitions of jargon-y concepts if they’re unavoidable.
“HTML 5? I loved their show at Roseland!”
Don’t make promises you aren’t sure you can keep.
Pro-Tip: You aren’t going to be sure you can keep any promises.
“We’ll NEVER share your data! Not even with the NSA!”
Could pose a problem in the event of a security breach
Consider a simplified summary of the key elements up front, followed by a
more fulsome discussion.
Have someone other than your attorney read it.
23. A Word or 205 on COPPA
The Children’s Online Privacy Protection Act applies to sites allowing users under 13
Enacted in 1998, effective in 2000, rules promulgated by the Federal Trade Commission
The FTC has a very helpful FAQ on FTC.gov, “Complying with COPPA: Frequently Asked
Questions”
Thankfully, the Rule has a safe harbor: “COPPA covers operators of general audience Web
sites or online services only where such operators have actual knowledge that a child
under age 13 is the person providing personal information.” (from said FAQ)
Twitpic’s Privacy Policy: “The Site is not directed to persons under 13. If a parent or
guardian becomes aware that his or her child has provided us with personally identifiable
information without their consent, he or she should contact us. We do not knowingly
collect personally identifiable information from children under 13. If we become aware
that a child under 13 has provided us with personal identifiable Information, we will delete
such information from our system.”
Foursquare’s: “ The Service is not available to individuals who are younger than 13 years
old.”
Doesn’t address what happens if a child manages to sign up
Bottom Line: If you’re marketing to kids at all, COPPA compliance is extremely important.
24. Sample COPPA Compliance
(Actually Marketing to Kids)
At Topps, children’s privacy is important to us. We are committed to providing fun, entertaining, and secure Sites for all ages, particularly
our younger users. Therefore, we have implemented the special measures described below to help children protect their privacy while
online.
Information We Collect: There are many activities on the Topps Sites or portions of Sites directed to children that children can participate
in and enjoy without providing personally identifiable information. To enable their participation in some of our interactive features (e.g.,
contests, newsletters, online games, electronic postcards to family or friends), children will need to provide us with certain personally
identifiable information. The types of personally identifiable information is typically limited to first name and e-mail addresses. We also
may ask users to provide certain information that is not personally identifiable, such as city or state of residence, date of birth and
gender.
Use and Disclosure of Information: To participate in certain features, we may ask a visitor to register. When users who attempt to register
indicate that they are children, depending on their age or location, we either collect no personally identifiable information from them or
inform them that a parent or guardian’s consent is necessary to participate in the activity. To obtain consent, we will collect the e-mail
address of the visitor’s parent or guardian in addition to that of the visitor. We use the parent or guardian’s e-mail address to obtain
consent or notify parents or guardians of their child’s online activities and to enable them to unsubscribe the child from a newsletter or
other similar activity. For visitors that we know are children, we will not condition participation in an online activity on the disclosure of
more personally identifiable information than reasonably necessary to participate in the activity.
Unless we indicate otherwise or obtain consent, personally identifiable information collected from children is generally used by Topps or
Topps’ agent and contractors for internal purposes, such as enabling visitors to enter our online contests or sweepstakes, to subscribe to
an online newsletter, to play an online game, to provide customer service, and/or for the purposes for which the information was
provided. We do not share children’s personally identifiable information with outside third parties not bound by this Policy for their own
marketing purposes.
We may share children’s personally identifiable information with third parties to the extent reasonably necessary to: protect the security
or integrity of our Sites; take precautions against liability; respond to judicial process or law enforcement agency request or investigation;
or to the extent permitted by law or consistent with this policy or legal requirements.
Reviewing Information/Contact: If you would like to review any personally identifiable information that we have collected online from
your child, have this information deleted, and/or request that there be no further collection or use of your child’s information or if you
have questions about these information practices, you may email us at privacypolicy@topps.com; write to us at Topps US, One Whitehall
Street New York, NY 10004; or call us at 1-888-GOTOPPS.
25. Going Global?
The European Union and its member states are, to put it mildly, difficult when it
comes to data protection and privacy.
If you’re doing business in Europe, you’ll need to follow the EU’s Data Protection
Directive – soon to be supplanted by a new Directive, the General Data
Protection Regulation.
Seriously, consult a lawyer who knows what she’s doing to help shape your data
protection regime if you’re transacting globally.
Example of some added language for EU requirements: “As Topps operates
globally, we may need to transfer to and process personally identifiable
information about you on our servers in the United States. Please note that the
data protection laws of other countries, such as the United States, may not offer
a level of privacy protection equivalent to that within the European Economic
Area or your home country. Be assured, however, that we will take reasonable
steps to protect personally identifiable information collected at our Sites. By
using this Site, you expressly consent to such transfer.”
26. Thanks For Joining Me!
I guess it’s Q & A time then
(Assuming, of course, I haven’t blathered on for the full 2 hours)