November 2012

On October 30, 2012, California Attorney General Kamala Harris announced that her office would begin notifying the developers of as many as 100 mobile apps that their apps do not comply with the state’s Online Privacy Protection Act (OPPA) and that they have 30 days to bring them into compliance.

The announcement does not come as a surprise. Earlier this year, the Attorney General published a Joint Statement of Principles with the major platforms that distribute and sell mobile apps, providing that they will distribute only apps that have privacy policies that consumers are able to review prior to download. At that time, her office told app developers that they had six months to come into compliance or to be notified of violations. Shortly thereafter, Attorney General Harris formed a Privacy Enforcement and Protection Unit, intended specifically to enforce OPPA and other privacy laws.

In light of the Attorney General’s announcement and her continued focus on privacy, companies that collect personal information online from California residents—whether through a website, online service, or app—should take steps to ensure that they are in compliance. According to the Attorney General’s sample non-compliance letter attached to her press release, failure to comply could subject a company to a fine of up to $2,500 each time a non-compliant app is downloaded.

The Law’s Requirements

OPPA requires a commercial website operator or online service provider, including a mobile app developer, that collects personally identifiable information (PII) from consumers residing in California to post a conspicuous privacy policy. Because OPPA applies to any company that collects data online about California residents, companies both within and outside of California may be subject to enforcement activity.

Under OPPA, the privacy policy must include:

  • The categories of PII that the website, online service, or app collects from its users;
  • The third parties with whom such PII may be shared;
  • The process by which the consumer can review and request changes to his or her PII, if the website operator, online service provider, or app developer maintains such a process;
  • The process by which the operator, provider, or developer notifies consumers of material changes to its privacy policy; and
  • Its effective date.

Additional Considerations

Compliance with OPPA does not necessarily ensure compliance with all applicable laws. In particular, the Federal Trade Commission (FTC) has long taken the position that privacy policies should describe, in a way that consumers can easily understand, all material collection, use, and disclosure practices. This means that, in addition to the information required by OPPA, a privacy policy should include other disclosures, such as:

  • Its scope;
  • How PII may be used;
  • How “other information”—information that may not be considered PII but the collection of which may be material to users—is collected, used, and disclosed. This may include, for instance, users’ clickstream information or other information derived from their interaction with the website, service, or app and collected for purposes of personalizing content or displaying targeted ads;
  • How PII is secured and for how long it may be retained;
  • How the user may exercise various rights, such as to opt out of receiving direct marketing or to opt out of the sharing of his or her PII with third parties;
  • How the user may access the PII collected from him or her and the control that he or she has with respect to it; and
  • How the user can contact the operator or developer.

Drafting a compliant privacy policy is only the first step. A company must also implement measures to ensure that it complies with the representations it makes in its privacy policy, to avoid claims that its privacy policy is deceptive or misleading.

In light of the increased enforcement activity by the California Attorney General and FTC, mobile app developers will want to ensure their mobile apps include a privacy policy, that the privacy policy is conspicuously posted on the mobile apps, and that the privacy policy is followed in practice.

Website operators often take for granted the enforceability of their websites’ terms of service. In a recent order issued in a case from the Central District of California, Nguyen v. Barnes & Noble, Inc., Judge Josephine Tucker reminds us that such presumptions are not necessarily correct: terms of service that do not require an affirmative manifestation of assent from a website user may not always be upheld in court.

Many website operators, particularly Internet retailers and operators of ecommerce sites, use “clickwrap” (or “clickthrough”) agreements to govern use of their sites. With clickwrap agreements, the website operator typically presents its standard terms of use and then requires the user to click an “Accept” or “I Agree” button. By clicking the button, users affirmatively manifest their intent to be bound by the terms. Other website operators use “browsewrap” agreements—terms of agreement that are usually accessible through a hyperlink at the bottom of a web page. Although, as a practical matter, few people actually read them, browsewraps are also widely used.

Both clickwraps and browsewraps are contracts of adhesion in legal parlance. That is, they are contracts that are offered on a “take it or leave it” basis with no opportunity for negotiation. A user who does not wish to be bound by the proffered terms can click “Do Not Accept” or, for a browsewrap, simply leave the website. On the other hand, a user who is willing to be bound can indicate such assent by clicking “I Accept” or by continuing to browse the website. Reasonable people may disagree regarding whether these actions truly manifest a user’s assent to be bound by the relevant contract terms, but courts have frequently upheld the enforceability of both clickwrap and browsewrap terms of use (subject, of course, to the unconscionability concerns raised by any contract of adhesion). As discussed in the remainder of this article, however, browsewrap terms of use often encounter a greater degree of scrutiny from courts due to the lack of any affirmative acceptance by users.

The enforceability of browsewrap terms of use has been held to depend on whether a website user has knowledge—either actual or constructive—of the applicable terms, because users cannot agree to be bound by terms unless they know what those terms are. Courts considering browsewrap enforceability issues often grapple with the question of whether the defendant was given notice of the applicable terms sufficient to impute such knowledge. For example, in Register.com, Inc. v. Verio, Inc., the court determined that numerous and repeated queries by an automated software program were sufficient to show that Verio knew of, and was bound by, Register.com’s terms (although Verio had also admitted that it had actual knowledge of the terms). On the other hand, in Ticketmaster Corp. v. Tickets.com, Inc., on the other hand, the court held that a small link to terms of use that was visible only if the user scrolled down to the bottom of the web page was insufficient to establish notice. But, three years later, the same court (in the same case, no less) ruled that more prominent notice on the site’s home page was adequate notice. While a court’s determination of sufficient notice may vary in each case, it is clear that the more readily available and conspicuous browsewrap terms of use are, the more likely it is that a court will find that the user knew of, and was bound by, the terms.

That brings us to Nguyen v. Barnes & Noble, Inc. In Nguyen, the plaintiff’s claims arose from a Barnes & Noble promotion that offered computer tablets at a discounted price. Although Nguyen submitted an order to purchase a tablet at the promotional price, Barnes & Noble canceled his order the next day, citing an oversale of its tablet inventory. As a result, Nguyen alleged that he was “forced to rely on substitute tablet technology, which he subsequently purchased . . . [at] considerable expense.” In April 2012, Nguyen filed suit, alleging various consumer protection violations, including false advertising, unfair competition, and breach of contract, under California and New York law. Barnes & Noble then moved to compel arbitration based on an arbitration clause included in its website’s browsewrap terms of use. The question before the court was whether, given the existing facts, the arbitration clause was enforceable against Nguyen.

The court ultimately held that the arbitration clause was not enforceable because the terms of use agreement itself was not enforceable. According to Judge Tucker, Barnes & Noble’s website terms of use could not bind Nguyen because Barnes & Noble “did not position any notice even of the existence of its ‘Terms of Use’ in a location where website users would necessarily see it, and certainly did not give notice that those Terms of Use applied, except within the Terms of Use” (emphasis in original). Due to this lack of adequate notice, Nguyen did not know and, in Tucker’s view, should not necessarily have known of Barnes & Noble’s terms of use. Because Nguyen did not have knowledge of the terms, he could not be bound by them. Therefore, Barnes & Noble could not compel arbitration in its dispute with Nguyen.

In light of Nguyen and the other cases discussed above, website operators should consider using clickwraps that require affirmative acceptance where possible, rather than relying on browsewraps to enforce their terms of use. A simple click can be the difference between an agreement’s being found enforceable or not. For ecommerce sites or any site that requires registration prior to use, clickwraps are relatively easy to implement—for example, at the point of purchase or when the user registers—without negatively affecting the user experience. Best practices for clickwraps include presenting terms of service before payment, allowing for easy reading of all terms, allowing users to print or save a copy of the terms, offering a prominent option to decline the terms, providing an easy way for users to find the terms on the site at any time after payment or registration, and giving users notice of (and requiring users to accept) any updates and changes to the terms of use.

For other sites, including some social media sites, the story may differ. Many social media sites—for example, Pinterest, Twitter, and YouTube—allow users to access at least some content and functionality without registering. With sites such as these, there may be no real opportunity to obtain affirmative acceptance of terms of use without degrading the user experience, so a clickwrap is simply not a practical option. For operators of such websites, the most important lesson of Nguyen and the other cases discussed above is that the question of enforceability often turns on whether the user has sufficient notice of the terms of use. Thus, website operators can increase the likelihood that their terms of use will be enforced if links to such terms are prominently displayed, preferably “above the fold” so that a user will be able to see the link without scrolling down the page. As Nguyen and the other cases illustrate, an operator who places links to terms of use in a tiny font buried at the bottom of a page may be in for an unpleasant surprise if those terms ever need to be enforced.