The last few weeks your inbox has probably been flooded with companies telling you they’ve updated their Privacy Policies in advance of the implementation deadline for the EU’s General Data Protection Regulation (GDPR). The GDPR implements a range of rules designed to give EU citizens more control over their personal data, and how online operators use that data.
While GDPR has rightfully highlighted how companies collect, share, and obtain consent for use of consumer data, as described in a Privacy Policy, the legal contract that governs your interaction with the websites you use – the Terms of Service (TOS) – have often been overlooked in the GDPR hype.
As a legally binding agreement, the TOS set out the basis of a website’s relationships with its users. It is the source of each party’s rights and responsibilities, and governs who can use the website, what content is allowed or prohibited, when a website can stop providing services to a user, what happens in the event of a dispute, among other important parts of the website-user relationship.
For the website operator, TOS are critical in defining what content is considered appropriate, clarifying who owns the intellectual property rights to the content, disclaiming warranties of use, and limiting liability in case of claims of intellectual property infringement. Clearly defining ownership rights of content on the website is important both for the website operator, who can assert ownership of their existing trademarks or copyrights, but also for users who post content. For example, if a website operator plans to use posted content in other formats, the TOS can explain that users grant the website operator a limited license to use their content in other media to promote or advertise the website’s services.
For users, TOS are important for the same reasons, but also because the TOS should set out a procedure for dispute resolution. For example, are disputes settled through binding arbitration or can a user pursue a lawsuit in federal or state court, or join a class action lawsuit? In addition to laying out the legal procedures for dispute resolution, the TOS can also provide the website operator a chance to build user trust. The TOS can designate a customer service phone number, name, or email, and emphasize that every effort will be made to resolve disputes promptly and amicably. The overall structure of the TOS should be easy for a user to follow. This can be done through bold, concise section headings, or a FAQ portion which summarizes answers to common questions, or even a brief 1-2 sentence summary of each section. While the TOS is a legal agreement, it should be easy to read and written to promote good customer service and resolve problems before they escalate to formal legal disputes.
For websites that post third-party content, it’s critical that TOS designate an agent under the Digital Millennium Copyright Act (DCMA). The DMCA agent receive notices of copyright infringement from anyone who thinks their copyright was violated by content posted to the website. Designating a DMCA agent and following the notification procedures laid out by the US Copyright Office gives website operators certain protections from copyright infringement liability. This protection can have huge implications in a potential copyright suit, where damages can reach into the tens of thousands per violation.
For website operators, claiming broad rights or assuming the users’ consent to the TOS can have serious legal consequences. Instagram learned this lesson when it was sued in 2012 for changing its TOS to give the company permission to sell users’ photos without compensation and introducing a mandatory arbitration clause. The suit was ultimately dismissed on procedural grounds, but not before the company withdrew the clause about sharing photos without compensation. TOS are a reflection of a website’s legal relationship with its users, and as Instagram’s example shows, website operators should carefully consider any changes that users could reasonably perceive as changing the terms of that relationship without giving them a chance to consider and re-affirm their consent.
The online shoe retailer Zappos ran into trouble when its mandatory arbitration provision was challenged after a massive data breach exposed the financial information of 24 million customers. Zappos’ TOS was presented in a “browsewrap” format, which binds users simply because they use the website, rather than a “clickthrough” agreement, which requires users to affirmatively click that they agree to the terms. The court did not look favorably on the browsewrap format under contract law because a reasonable user would have no reason to read the agreement and affirmatively assent to it. As such, the TOS was invalid as a contract because there was no mutual agreement between parties on the terms.
In contrast, click-through agreements are more often upheld by courts. Using Zappos as an example, a better practice for a website operator is to require users to click a variation of an “I have read and agree to the Terms” button prior to creating an account or making a purchase, and provide a prominent hyperlink to the TOS next to where a user would click “agree”. A link to the TOS should also be included on every page of the website, most often as a footer. As several court cases since the Zappos decision demonstrate, consent to the TOS should not be presumed simply by continued use of the website, even if this is stated in the TOS.
Ultimately, it is in the interest of both the website operator and the user that the TOS clearly define the relationship, including what is allowed and prohibited, how disputes are resolved, and who owns the content that appears on the website. TOS should be clearly presented and give users every opportunity to review, and provide a mechanism for feedback, such as through a customer service email or phone number. Finally, TOS should require an affirmative act of consent from the user prior to using the services. With these protections in place, users and website operators can forge a relationship with a clear designation of rights and responsibilities, and one that builds trust and allows for a beneficial exchange of information.