Description of the enforceability of terms of use, privacy policy requirements, best practices for online services and websites

1. Terms of Use and Privacy
Policy
Best Practices
©2015 Royse Law Firm, P.C.

2. Terms of Use
• Enforceable Terms of Use (TOU)
• Acceptance; Eligibility ; Modifications/Changes
• Enforceable Material Terms
• Clear and Conspicuous Language
• International Issues
• Website Services
• E-commerce Website
• Social Media Platform

3. Enforceability - Acceptance
• Four Types of Electronic Adhesion Contracts (Berkson
v. Gogo LLC and GoGo Inc.)
• Browsewrap agreements -- provide that the user gives assent to the terms
merely by using the site.
• Clickwrap agreements -- require a user to affirmatively click a box on the website
acknowledging awareness of and agreement to the terms of the agreement before
he or she is allowed to proceed with further use of the website.
• Scrollwrap agreements -- require a user to physically scroll through an internet
agreement and click on a separate "I agree" button in order to agree to the terms
and conditions of the host website.
• Sign-in-wrap agreements -- do not require the user to click on a box showing
acceptance of the "terms of use," but instead includes a statement like “By clicking
'NEXT' I agree to the terms of use and privacy policy."

4. Enforcement – Eligibility
• Legally competent to accept the TOU
• 18 years or older
• Mentally competent
• Include representations and warranties by user and
right to terminate/no obligation:
• (e.g. If for any reason, we, in our sole discretion, believe you do not
meet the eligibility requirements set forth above, we reserve the right,
without provision of any notice to you to terminate your account and
the Terms. If you do not meet the eligibility requirements as set forth
above, we have no obligations to you under the Terms.)

5. Enforcement –
Modifications/Changes
• Blanket statement granting right to unilaterally change terms
with or without notice -- generally unenforceable
• Provide prominent notice on the website for any changes
• In addition, Provide notice for material changes by sending
notice to email address designated by user
• Include effective date (e.g. “Last Updated: September 15,
2015)

6. Clear and Conspicuous
Material Terms
• Court in Berkson : TOU must clearly draw attention to material
terms that would alter what a reasonable consumer would
understand to be default rights in an online transaction
• Arbitration Clause
• Include clear language at beginning of TOU putting user on notice:
• (e.g., THESE TERMS CONTAIN AN AGREEMENT TO ARBITRATE IN
SECTION 10 BELOW, WHICH WILL REQUIRE YOU TO SUBMIT
CLAIMS YOU HAVE AGAINST THE COMPANY TO BINDING AND
FINAL ARBITRATION
• Governing Law/Venue
• Restrictions on Class Actions
• Payment Terms (auto-renewal)

7. Website Services
• E-Commerce Website
• Payment Terms (subscription, auto-renewal)
• Disclaimers/Liability
• Limits of Application
• Social Media Platform
• User Generated Content (UGC)
• License to use UGC (avoid assignment/ownership language)
• Prohibited Content (offensive, violent, spam, infringing content, minors)
• DMCA Provision — Must register with the Copyright Office to utilize

8. Best Practices
• Clickwrap or Scrollwrap
• Account Registration
• Clear and Conspicuous Material Terms
• Clear Notification of Modifications/Changes to
Material Terms

9. Take Away
• Analyze the client’s business, services,
potential liabilities, what needs to be protected
• Review samples of TOU with similar services
• Customize

10. Privacy Policy
• Federal Trade Commission (FTC)
• Necessary to avoid unfair and deceptive trade practices
• California Online Privacy Act of 2003 (CalOPPA)
• First law in the nation with a broad requirement for privacy
policies

11. California Online Privacy Act
• Applies to operators of commercial websites and online
services that collect personally identifiable information
about Californians
• Must conspicuously post a privacy policy
• Must comply with the terms of the policy

12. “Online Service”
• Websites
• Ecommerce websites
• Mobile apps (iOS, Android, Windows)
• Desktop apps (Windows, Mac OS X)
• Facebook apps
• SaaS apps
• Or any other platform where users would share their personal
information.

13. “Personally Identifiable Information”
• “Personally identifiable information” (PII) broadly defined:
• information about a consumer collected online and maintained by
the operator in an accessible form, including any of the following:
• first and last name;
• home or other physical address, including street name and name of a city
or town;
• e-mail address;
• A telephone number;
• social security number;
• any other identifier that permits the physical or online contacting of a
specific individual; and
• information concerning a user that the online service collects online from
the user and maintains in personally identifiable form in combination with
an identifier described in this subdivision.

14. Privacy Policy Requirements
• At the very least, you must include (Cal. Bus. & Prof. Code §§ 22575-22579):
• Categories of PII collected through the site or service about users or
visitors,
• Categories of third parties with whom the operator may share the
personally identifiable information,
• Description of process for a user or visitor to review and request changes
to his or her personally identifiable information collected through the site or
service, if the operator maintains such a process,
• Description of process for notifying users and visitors of material changes
to the privacy policy, and
• Effective date of the privacy policy.

15. Special Requirements
• Children’s Online Privacy Act (COPPA)
• PII from children under the age of 13, COPPA regulations may apply
• California Civil Code § 1798.83 “Shine the Light” Law
• California residents permitted to request information regarding the disclosure of their
PII by online service providers to third parties for the third parties’ direct marketing
purposes.
• Do Not Track (DNT) (AB 270 of 2013) “Tracking Transparency Law”
• The law requires two new disclosures in the privacy policy of an operator of a web site
or online service subject to CalOPPA:
• (1) the operator’s response to a browser DNT signal or to “other mechanisms,” --
Required when website collects PII over time and across third-party websites
• can be satisfied by linking to program or policy that explains a users choice
about online tracking – www.allaboutdnt.com
• (2) the possible presence of other parties conducting online tracking

16. Best Practices
Making Your Privacy Practices Public, Kamala D. Harris, California
Department of Justice
• Readability
• Use plain, straightforward language. Avoid technical or legal jargon.
Use a format that makes the policy readable, such as a layered format
• Online Tracking/Do Not Track
• Make it easy for a consumer to find the section in which you describe your policy
regarding online tracking by labeling it, for example: “How We Respond to Do Not
Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
• Describe how you respond to a browser’s Do Not Track signal or to other such
mechanisms. This is more transparent than linking to a “choice program.”
• State whether other parties are or may be collecting personally identifiable information
of consumers while they are on your site or service.

17. Best Practices Cont.
• Data Use and Sharing
• Explain your uses of personally identifiable information beyond what is necessary for
fulfilling a customer transaction or for the basic functionality of an online service.
• Whenever possible, provide a link to the privacy policies of third parties with whom
you share personally identifiable information.
• Individual Choice and Access
• Describe the choices a consumer has regarding the collection, use and sharing of his
or her personal information.
• Accountability
• Tell your customers whom they can contact with questions or concerns about your
privacy policies and practices.

18. Best Practices Cont.
• In Addition…
• Incorporate by reference into the TOU to reduce risk/liability without over
complicating Privacy Policy
• Obtain clear consent from user (“By submitting PII through the website you
agree to the terms of this Privacy Policy and you expressly consent to the
collection, use and disclosure of your PII in accordance with this Privacy
Policy”)
• Implement reasonable security measures and explain such measures in the
Privacy Policy

19. Take Away
• Analyze and fully understand the data collection and
retention activities of the client
• Carefully craft the privacy policy to adequately, clearly, and
conspicuously explain privacy practices
• Implement reasonable data security measures (encryption
at the very least)
• Provide opt-in consent when changing the way personal
data is collected and/or used
• Most important of all — adhere to the privacy policy