Click Here to Accept: Your Website Legalities

Let’s talk Privacy Policies and Terms of Use for a moment. Arguably the dullest two pages on your website, these are the ones that no one ever reads, like the wall of text that pops up every time you update your iPhone (and which you scroll quickly as fast as possible and click accept). There is considerable confusion as to why these are important, and if they are even required. Privacy law in general is in a state of somewhat confusion due to the borderless nature of the internet and each individual country (and state) having varying restrictions and requirements in place. Additionally, many of these requirements apply to website operators located outside of the state’s boundaries. The lack of any overarching federal law regulating privacy in the US means that we have ended up with a patchwork of privacy laws, each with their own nuances, definitions, and penalties.

PERSONALLY IDENTIFIABLE INFORMATION (PII)

The single most important term you need to become familiar with when setting up your own website to interact with users, customers, clients, etc. is “personally identifiable information,” or “PII” as it is usually shortened to. This special set of information is what most states’ and countries’ privacy laws concern themselves the most with. Different jurisdictions have different definitions for what they consider PII, but a good rule of thumb is that if you have collected a person’s name + another identifying piece of information about them (e.g. driver’s license #, physical address, email address, etc.), you now have PII in your possession. When you collect PII, you are generally subject to the privacy laws of whatever state or country that person is a citizen of. This means that you need to consider the impact of these laws (or have counsel investigate the legal requirements) before you start collecting PII from citizens of a particular country.

PRIVACY POLICIES

Privacy Policies are essentially legally binding promises that you make, concerning your practices for handling the personal information of your website’s users. Some states (e.g. California) have laws that require website operators to post Privacy Policies on their website as soon as they begin collecting PII about citizens of that state. Failure to do so will result in unwanted attention from the Attorney General, the Federal Trade Commission (FTC), and possibly even private citizens.

So, how are Privacy Policies legally enforceable? When you post a Privacy Policy on your website, you are essentially making a bunch of promises and claims as to how you will handle PII. These promises include things like “we will not sell users PII to third parties for use in marketing campaigns,” and “we will use strong encryption methods to store your social security number.” If you then go and break these promises (e.g. by selling PII to marketers, or storing SSNs in a word doc on your desktop), you have engaged in what the FTC deems a deceptive trade practice. The FTC and state Attorneys General can and will come down hard on companies that engage in this activity (possible penalties include fines of up to $40,000 and imprisonment for up to 10 years, depending on how serious and intentional the violation was).

As your business grows, your data handling practices will usually change and evolve to reflect your needs and the needs of other stakeholders. Having an accurate and up-to-date Privacy Policy that clearly reflects your data and PII handling practices is one of the most significant risk-reducing tools you can have on your website.

TERMS OF USE

Terms of Use (or Terms of Service, the two are used interchangeably) are those things we all automatically click accept on without even blinking. This document (or webpage) defines the relationship between your company and the users of your company’s website. The Terms contain important legal protections for you should a conflict ever arise based on some interaction a user had with your website. They also serve to protect the intellectual property (including source code) on your site that you put so much time and effort into creating. So, how are these Terms enforceable?

Courts have divided Terms of Use into two different types – browsewrap and clickwrap agreements.

  1. Browsewrap Agreements make the Terms of Use available via a link to a separate page on your website. Users are typically not required to click any box to agree to this type of agreement. In general, browsewrap agreements are not as clearly enforceable against users, except for minor, inconsequential issues. This is because the user is never actually alerted to the existence of the agreement before interacting or purchasing something from your website. If you are selling anything on your website, you really should not be relying on browsewrap agreements.
  2. Clickwrap Agreements require the user to click a box acknowledging that they have read the Terms of Use (even if they haven’t). The enforceability of these agreements depends largely on the factors surrounding the user’s click. Were the Terms of Use hyperlinked in a tiny link somewhere below the check box or “buy now” button? This would not likely be enforceable. On the other end of the spectrum – was the user required to scroll through the entire Terms of Use before they could check the box or hit a “buy now” button? This would likely be enforceable because you have given the user the opportunity (or forced them) to read the whole Terms.

While not legally required (unlike Privacy Policies), foregoing your website’s Terms of Use creates significant risk for you and your company, particularly if you sell anything, or have any sort of information presented that users may rely on to their detriment (e.g. nutrition/fitness tips, finance tips, travel advice, etc.). Additionally, simply pulling a Terms of Use off a competitor’s website creates the risk that you are agreeing to certain things that they may have no problem agreeing to, but which may cripple your business if a user was to ever invoke it against you. Customized Terms of Use for your website are vitally important.

COLLECTING PII FROM FOREIGN COUNTRIES

As mentioned above, different countries have different requirements. As much as we would like to treat it as such, the internet is not one borderless realm where anything goes (at least not anymore). Depending on where you operate, or where you are collecting PII from, different sets of laws apply to your collection, handling, and storage of PII.

The European Union, in particular, creates significant compliance headaches for US companies collecting PII about EU citizens and transferring it back to servers in the US. Under EU Data Privacy Directives (and the General Data Protection Regulation, or GDPR), US companies are technically prohibited from transferring EU citizens’ PII to the US due to concerns about the US Government’s bulk data collection practices. In order to do so, US companies must certify, under a program called the EU-US Privacy Shield, that they provide the same adequate level of protection as is required under EU law.

If you are collecting PII from non-US citizens, you should have counsel look into any specific requirements these countries may have.

By: Kieran de Terra, Esq. – 02/26/17

Disclaimer:  Although this article may be considered advertising under applicable law and ethical rules, the information in this article is presented for informational purposes only. Nothing should be taken as legal advice. Reading this article does not form an attorney-client relationship with us. An attorney-client relationship is formed through a signed engagement agreement. If you would like further information, wilkmazz pc would love to help you out! Feel free to reach out with any questions.

Photo Credit: © http://nyphotographic.com/ (CC3 License) (License)