In Kevin Khoa Nguyen v. Barnes & Noble Inc., 2014 U.S. App. LEXIS 15868 (9th Cir. 2014), decided on August 18, 2014, the Ninth Circuit rejected an attempt to bind a consumer to an arbitration clause found in an online terms of use agreement not affirmatively “click accepted” by the consumer but readily accessible through a hyperlink at the bottom left of each page on the subject website.

The case arose from a “fire sale” by defendant Barnes & Noble of certain discontinued Hewlett Packard TouchPads. Plaintiff Nguyen had ordered two of the TouchPads, but received a notice from Barnes & Noble the following day that his order had been cancelled due to unexpectedly high demand. Nguyen sued Barnes & Noble in California Superior Court on behalf of himself and a putative class, arguing that he was forced to buy a more expensive tablet instead.

Barnes & Noble, after removing the suit to federal court, moved to compel arbitration under the Federal Arbitration Act, arguing that, by using the Barnes & Noble website, Nguyen had agreed to an arbitration clause contained in Barnes & Noble’s Terms of Use. Nguyen responded that he could not be bound to the arbitration clause because he had no notice of and did not consent to the Terms of Use. Barnes & Noble countered that the placement of the Terms of Use hyperlink on its website had given Nguyen constructive notice of the arbitration clause.

Continue Reading To Click or Not to Click? Ninth Circuit Rejects Browsewrap Arbitration Clause

Website operators often take for granted the enforceability of their websites’ terms of service. In a recent order issued in a case from the Central District of California, Nguyen v. Barnes & Noble, Inc., Judge Josephine Tucker reminds us that such presumptions are not necessarily correct: terms of service that do not require an affirmative manifestation of assent from a website user may not always be upheld in court.

Many website operators, particularly Internet retailers and operators of ecommerce sites, use “clickwrap” (or “clickthrough”) agreements to govern use of their sites. With clickwrap agreements, the website operator typically presents its standard terms of use and then requires the user to click an “Accept” or “I Agree” button. By clicking the button, users affirmatively manifest their intent to be bound by the terms. Other website operators use “browsewrap” agreements—terms of agreement that are usually accessible through a hyperlink at the bottom of a web page. Although, as a practical matter, few people actually read them, browsewraps are also widely used.

Both clickwraps and browsewraps are contracts of adhesion in legal parlance. That is, they are contracts that are offered on a “take it or leave it” basis with no opportunity for negotiation. A user who does not wish to be bound by the proffered terms can click “Do Not Accept” or, for a browsewrap, simply leave the website. On the other hand, a user who is willing to be bound can indicate such assent by clicking “I Accept” or by continuing to browse the website. Reasonable people may disagree regarding whether these actions truly manifest a user’s assent to be bound by the relevant contract terms, but courts have frequently upheld the enforceability of both clickwrap and browsewrap terms of use (subject, of course, to the unconscionability concerns raised by any contract of adhesion). As discussed in the remainder of this article, however, browsewrap terms of use often encounter a greater degree of scrutiny from courts due to the lack of any affirmative acceptance by users.

The enforceability of browsewrap terms of use has been held to depend on whether a website user has knowledge—either actual or constructive—of the applicable terms, because users cannot agree to be bound by terms unless they know what those terms are. Courts considering browsewrap enforceability issues often grapple with the question of whether the defendant was given notice of the applicable terms sufficient to impute such knowledge. For example, in Register.com, Inc. v. Verio, Inc., the court determined that numerous and repeated queries by an automated software program were sufficient to show that Verio knew of, and was bound by, Register.com’s terms (although Verio had also admitted that it had actual knowledge of the terms). On the other hand, in Ticketmaster Corp. v. Tickets.com, Inc., on the other hand, the court held that a small link to terms of use that was visible only if the user scrolled down to the bottom of the web page was insufficient to establish notice. But, three years later, the same court (in the same case, no less) ruled that more prominent notice on the site’s home page was adequate notice. While a court’s determination of sufficient notice may vary in each case, it is clear that the more readily available and conspicuous browsewrap terms of use are, the more likely it is that a court will find that the user knew of, and was bound by, the terms.

That brings us to Nguyen v. Barnes & Noble, Inc. In Nguyen, the plaintiff’s claims arose from a Barnes & Noble promotion that offered computer tablets at a discounted price. Although Nguyen submitted an order to purchase a tablet at the promotional price, Barnes & Noble canceled his order the next day, citing an oversale of its tablet inventory. As a result, Nguyen alleged that he was “forced to rely on substitute tablet technology, which he subsequently purchased . . . [at] considerable expense.” In April 2012, Nguyen filed suit, alleging various consumer protection violations, including false advertising, unfair competition, and breach of contract, under California and New York law. Barnes & Noble then moved to compel arbitration based on an arbitration clause included in its website’s browsewrap terms of use. The question before the court was whether, given the existing facts, the arbitration clause was enforceable against Nguyen.

The court ultimately held that the arbitration clause was not enforceable because the terms of use agreement itself was not enforceable. According to Judge Tucker, Barnes & Noble’s website terms of use could not bind Nguyen because Barnes & Noble “did not position any notice even of the existence of its ‘Terms of Use’ in a location where website users would necessarily see it, and certainly did not give notice that those Terms of Use applied, except within the Terms of Use” (emphasis in original). Due to this lack of adequate notice, Nguyen did not know and, in Tucker’s view, should not necessarily have known of Barnes & Noble’s terms of use. Because Nguyen did not have knowledge of the terms, he could not be bound by them. Therefore, Barnes & Noble could not compel arbitration in its dispute with Nguyen.

In light of Nguyen and the other cases discussed above, website operators should consider using clickwraps that require affirmative acceptance where possible, rather than relying on browsewraps to enforce their terms of use. A simple click can be the difference between an agreement’s being found enforceable or not. For ecommerce sites or any site that requires registration prior to use, clickwraps are relatively easy to implement—for example, at the point of purchase or when the user registers—without negatively affecting the user experience. Best practices for clickwraps include presenting terms of service before payment, allowing for easy reading of all terms, allowing users to print or save a copy of the terms, offering a prominent option to decline the terms, providing an easy way for users to find the terms on the site at any time after payment or registration, and giving users notice of (and requiring users to accept) any updates and changes to the terms of use.

For other sites, including some social media sites, the story may differ. Many social media sites—for example, Pinterest, Twitter, and YouTube—allow users to access at least some content and functionality without registering. With sites such as these, there may be no real opportunity to obtain affirmative acceptance of terms of use without degrading the user experience, so a clickwrap is simply not a practical option. For operators of such websites, the most important lesson of Nguyen and the other cases discussed above is that the question of enforceability often turns on whether the user has sufficient notice of the terms of use. Thus, website operators can increase the likelihood that their terms of use will be enforced if links to such terms are prominently displayed, preferably “above the fold” so that a user will be able to see the link without scrolling down the page. As Nguyen and the other cases illustrate, an operator who places links to terms of use in a tiny font buried at the bottom of a page may be in for an unpleasant surprise if those terms ever need to be enforced.

In two recent decisions issued within a day of each other, two influential federal courts limited the scope of three important federal laws used to prosecute criminal conduct involving computers.  On April 10, 2012, the Ninth Circuit limited the scope of criminal liability for prosecutions under the Computer Fraud and Abuse Act, and on the following day the Second Circuit sharply limited the scope of the National Stolen Property Act and the Economic Espionage Act of 1996.  Together, these decisions indicate a reluctance to accept prosecutors’ expansive views of the reach of federal criminal laws with respect to computer usage, and the Ninth Circuit’s decision in particular may have far-reaching implications for the enforceability of website terms of service and employee policies in the civil context.

The Ninth Circuit’s decision was issued en banc in United States v. Nosal upholding the district court’s dismissal of David Nosal’s indictment for violations of the Computer Fraud and Abuse Act (“CFAA”).  Nosal had worked for an executive search firm and left to start a competing business.  He convinced several of his former colleagues to help him by accessing and then transferring to him source lists, names, and contact information from the firm’s confidential database.  The former colleagues were authorized to access the database, but the firm had a policy forbidding the disclosure of confidential information.  The government charged Nosal with violating 18 U.S.C. § 1030(a)(4) by aiding and abetting the former colleagues in “exceed[ing] authorized access” to the firm’s computers with intent to defraud the firm.

Nosal moved to dismiss the CFAA counts, arguing that the statute was meant to target hackers and not those who accessed a computer lawfully but then misused information obtained from such access.  The district court agreed, and the government appealed.  In a panel decision issued in 2011, the Ninth Circuit reversed the district court, holding that an employee “‘exceeds access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.”  The en banc court found otherwise, holding that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (Emphasis in original.)  To hold otherwise, the court reasoned, would make federal crimes out of “minor dalliances” like playing games or shopping online, if such activities were prohibited by an employer’s computer-use policy.  The court observed:  “Employer-employee and company-consumer relationships are traditionally governed by tort and contract law,” and to interpret the CFAA to apply to use restrictions “allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”  This would implicate “[s]ignificant notice problems.”  Although the government argued that it would not prosecute minor violations of the law, the court found that “we shouldn’t have to live at the mercy of our local prosecutor.”

The Second Circuit’s decision in United States v. Aleynikov, issued on April 11, 2012, limits the reach of computer crime prosecutions under the National Stolen Property Act (“NSPA”) and the Economic Espionage Act of 1996 (“EEA”).  Sergei Aleynikov was convicted of violating both acts based on his theft and transfer of his company’s proprietary source code.  Aleynikov was a computer programmer at Goldman Sachs, where he developed source code for the company’s proprietary high-frequency trading (“HFT”) system.  Goldman’s policies bound Aleynikov to keep the firm’s proprietary information confidential and barred him from taking or using it when his employment ended.  Aleynikov accepted an offer from a new company that was looking to develop its own HFT system.  On his last day at Goldman, Aleynikov uploaded source code for Goldman’s HFT system to a server in Germany, which he then downloaded to his home computer for use at his new job. 

Aleynikov was sentenced to 97 months in prison.  He appealed, arguing that the district court should have dismissed his indictment for failure to state an offense.  The Second Circuit reversed his conviction on both counts, finding that his conduct did not constitute an offense under either statute.  (Aleynikov has also been charged with a criminal violation of the CFAA, but the district court had dismissed that charge on the ground that “authorized use of a computer in a manner that misappropriates information is not an offense” under the act.  This ruling predates the similar en banc Nosal decision discussed above, and the government did not appeal the ruling.)

The NSPA criminalizes transmittal of a stolen “good” in interstate or foreign commerce.  The Second Circuit held that source code is not a “good,” and therefore, “the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA.”  The court “decline[d] to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”  Significantly, the court noted that a different conclusion might apply if the stolen source code had been removed from Goldman’s premises on a tangible item, like a CD or flash drive, instead of having been stolen through uploading to an off-premises server.

The EEA prohibits the unauthorized downloading, uploading, transmitting, or conveying of trade secrets related to or included in a product that is produced for or placed in interstate or foreign commerce, with the intent to convert the trade secret, while intending or knowing that the offense will injure the owner of the trade secret.  On this count, the Second Circuit held that Goldman’s HFT system was neither “produced for” nor “placed in” interstate commerce because Goldman had no intention of selling or licensing the system and, in fact, “went to great lengths to maintain the secrecy of its system.” 

Although neither the NSPA nor EEA provides for a private right of action, we think it is possible the rationales of these decisions could influence civil litigation involving misuse of an employer’s computer system, including, in particular, civil litigation under the CFAA based on violations of website terms of service or employee policies.  For examples of previous such cases, see, e.g., Am. Online, Inc. v. LCGM, Inc. and EF Cultural Travel BV v. Explorica, Inc. In most of these cases, it appears that the defendant was authorized to access the website or system in question, but misappropriated the data on those websites or systems.  In addition to limiting criminal exposure, the Ninth Circuit’s interpretation of “exceeds authorized access” in Nosal may be construed to undermine this basis for a civil suit.  Watch these pages for further reports on these issues.

In the recent online contracting case of Fteja v. Facebook, Inc., a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (the “Terms”) was enforceable because the plaintiff assented to the Terms when registering to use Facebook.  The court’s analysis and holding followed the recent trend of de-emphasizing the distinction between “clickwrap” and “browsewrap” agreements and instead focusing on whether the user was provided  with actual or constructive notice of the agreement’s terms and conditions.  In this case, the result turned on whether Facebook’s Terms were reasonably communicated to the plaintiff prior to his use of the Facebook.com site.

The plaintiff, an active Facebook user, brought the action against Facebook in New York state court asserting that Facebook disabled his Facebook.com account without justification and for discriminatory reasons.  He claimed that the disabling of his account hurt his feelings, inflicted emotional distress and assaulted his good reputation among his friends and family.

Facebook removed the lawsuit to New York federal court on the basis of diversity of citizenship, and then moved to transfer the action to federal court in Northern California, citing the forum selection clause in the Terms.  Facebook argued that because the plaintiff clicked through Facebook’s registration page and expressly acknowledged that he read and agreed to the Terms (including the forum selection clause), the Terms were valid and enforceable.  The plaintiff responded that there was no proof that he agreed to the forum selection clause and that he did not remember agreeing to the Terms.

The court reviewed Facebook’s registration process, noting that after a new user provides his or her personal information and clicks an initial “Sign Up” button, he or she is directed to a security page that requires the new user to input a series of letters and numbers.  Below the box where the new user enters the letter/number combination, the page displays a second “Sign Up” button that is immediately followed by the phrase: “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service.”  The phrase “Terms of Service” is underlined, indicating that it is hyperlinked to the Terms.

After this review of Facebook’s registration process, the court then described the historical development of online contracting law, referencing the Register.com, Inc. v. Verio, Inc., Specht v. Netscape Communications Corp., and Hines v. Overstock.com, Inc. decisions, and the importance of establishing mutual manifestation of assent.  Following this discussion, the court pointed out that Facebook’s Terms are “somewhat like a browsewrap agreement in that the terms are only visible via a hyperlink, but also somewhat like a clickwrap agreement in that the user must do something else – click ‘Sign Up’ – to assent to the hyperlinked terms,” and that, unlike some clickwrap agreements, a new Facebook user can click to assent whether or not he or she has been presented with the Terms.  Finally, the court looked at the plaintiff’s level of sophistication and stated that an Internet user whose social networking was so prolific that losing Facebook would cause him mental anguish should understand that the hyperlinked phrase “Terms of Service” really means “Click Here for Terms of Service,” thereby establishing constructive knowledge of the Terms.

The court concluded that the plaintiff’s registration for Facebook by clicking the “I accept” button constituted his assent to the Terms (including the forum selection clause) even though he may not have actually reviewed the hyperlinked Terms.  The court then, after considering the public policy ramifications of the transfer decision, held that the forum selection clause was enforceable and directed the action to be transferred to federal court in Northern California.

Key Take Aways.  While the Fteja v. Facebook, Inc. case illustrates that U.S. courts may enforce a hybrid browsewrap/clickwrap agreement even where the user does not have actual knowledge of the terms and conditions, the safest approach for a website operator is to structure its online terms of service as a traditional clickwrap agreement that requires users to scroll through the terms and conditions and then click an “I accept” button.  In situations where this structure is not commercially reasonable, the following tips can be used to help establish user assent under U.S. law through constructive knowledge of the terms and conditions of an online agreement:

  • Prominent Notice:  Include a prominent notice that cannot be skipped by users; such notice ideally should state that the use of service is subject to the hyperlinked terms of service.  Such notice should be provided in reasonably large font and contrasting colors that do not blend into the website’s background.  If possible, include an “I accept” button next to the notice.
  • Easy Access/Full Disclosure:  Provide easy access to the full text of the terms of service via a clearly identifiable hyperlink that links to a downloadable and printable version of the terms of service.  The hyperlink should be provided next to the notice and an “I accept” button (if any).
  • Readability:  Structure and phrase the terms of service so that they can be reasonably understood by users based on their anticipated level of sophistication.
  • Highlight Important Terms:  Make sure that any particularly important terms are clearly identifiable and not hidden.  If the website operator is especially concerned about an issue (e.g., enforceability of the limitation of liability provision of the terms of service), consider expressly referencing the concern as part of the general notice (e.g., “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service, including the limitations on vendor’s liability described therein”).