A law firm as creative as you are.
image001
You have the ambition. We can help you get there.

California Adopts Three New Data Privacy and Security Laws Affecting Online Companies

Posted on Oct 22nd, 2013

In September 2013, California signed into effect three new laws relating to privacy and data breach. The first is online privacy bill A.B. 370 which amends the California Online Protection Act to add privacy policy disclosure requirements regarding online tracking activity by website operators.  This amendment goes into effect on January 1, 2014.

Under current California law, operators of commercial websites or online services (including mobile applications) that collect personally identifiable information (commonly referred to as “PII”) through the Internet about consumers residing in California who use or visit their commercial website or online service to conspicuously post a privacy policy on its website or online service and to comply with that policy.  The privacy policy is required to disclose the categories of PII that are collected and the categories of entities with whom such information is shared.

The 2013 law requires an operator that collects PII concerning a consumer’s online activities now also to disclose (1) how it responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of a PII, and (2) whether third parties may also collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.

To be compliant with the new law, a privacy policy must not meet all of the following requirements:

(1) Identify the PII categories that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with whom the operator may share that PII.
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial website or online service to review and request changes to any of the consumer’s PII that is collected through the website or online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator’s applicable privacy policy.
(4) Identify its effective date.
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

The second new law is S.B. 46, which adds to the current data security breach notification requirements a new category of data triggering these notification requirements: A user name or email address, in combination with a password or security question and answer that would permit access to an online account. The new law also provides more guidance on how website operators can satisfy disclosure obligations when a breach involves personal information that allows access to an online or email account.  This law also goes into effect on January 1, 2014.

Finally, S.B. 568, relates to online privacy protection for minors. This law will prohibit online marketing or advertising of certain products and services (such as alcohol, tobacco, and U/V tanning products) to children and teenagers under 18.  This law goes into effect on January 1, 2015.

Impacted companies must take the opportunity presented before these laws come into effect to examine their data collection, data privacy, and security policies and practices to determine whether they demand any updates. If you have any questions about this topic, please feel free to email us.


Recent Massachusetts Appeals Court Decision Interprets Enforceability of Online Terms and Conditions

Posted on May 9th, 2013

A recent Massachusetts appeals court decision by holds that a forum selection and limitation of liability clause is not enforceable under Massachusetts law in a browsewrap agreement.  This decision is a useful read both for lawyers drafting these documents and product developers and UI folks that create the user experience during which these legal terms are viewed and accepted.

The case involves the interpretation of Yahoo!’s Terms of Service (TOS) relating to its free email service.  The case was brought by the administrators of the estate of a Yahoo email user to get court approval for access to the account and the content of the emails.  Because the Yahoo! TOS had a forum selection clause requiring that all disputes be brought in California, the Court had the opportunity to interpret the enforceability under Massachusetts law of such clauses in online agreements.

After noting that the Court has not previously considered the enforceability of forum selection and limitation of liability clauses in online agreements, it looked to the case law on such issues in traditional paper contracts.  In those cases, courts have enforced such provisions as long as they have been reasonably communicated and accepted and if, considering all the circumstances, it is reasonable to enforce the provision at issue.  The burden on the first prong fall on the issuer of the TOS.  On the second prong (that the TOS themselves were reasonable), in the forum selection case, the burden falls on the plaintiffs, and no such burden applies in case of a limitations provision.

Applying this standard to online agreements, the Court held that Yahoo! did not meet their burden of showing the TOS were reasonably communicated and accepted.  Yahoo!’s affidavit that users were “given an opportunity to review” the TOS and Privacy Policy prior to registering” was not sufficient by itself.  The Court could not infer from that affidavit that the TOS were actually displayed on the user’s screen.  If the user was asked to follow a link to the TOS — which is a pretty typical user experience — Yahoo!’s affidavit would have to have provided the specific instructions relating to the link, how prominently displayed was the link, and any other information bearing on the reasonableness of this communication.

The Court also held that Yahoo! failed in showing that the TOS were accepted.  Past cases have enforced such provisions only in click-wrap agreements (where “terms of the agreement were displayed, at least in part, on the user’s computer screen and the user was required to signify his or her assent by clicking ‘I accept.’”), but not in browsewrap agreements (where ”website terms and conditions of use are posted on the website typically as a hyperlink at the bottom of the screen.”).

On that basis, the Court refused to extend the enforceability to browsewrap agreements and held that the record did not show “the terms of any agreement were reasonably communicated or that they were accepted.”

This case is reminder that legal attention to one’s online form agreements is a necessary part of operating a web-based business.  Especially if the offering is free (or fremium), website owners should take appropriate caution, and may want to sacrifice a little user experience and customer conversion in favor of knowing that to ensure that those online terms and conditions are actually going to be enforceable when the time comes.