Terms of Service &Privacy PoliciesSetting the Ground Rules for Your Site Through Legal Mumbo-Jumbo

james f. peiser, esq.

jp@jamespeiser.com

July 2, 2013

One quick note…

This presentation discusses general legal issues, but it does not constitute legal advice in any respect, and is not the basis for an attorney-client relationship. I’d ask that no reader / attendee act or refrain from acting based on any information presented herein without seeking the advice of counsel, and expressly disclaim liability for any action taken or not taken based on the contents of this presentation.

Lawyers, am I right?

Seriously, though – this world moves fast, and occasionally the law keeps up, especially with respect to the ever-evolving world of privacy. So some of this information may get outdated quickly (or, because I don’t have an army of researchers handy, may already be outdated – but I’ve taken reasonable steps to have this not be the case).

“

”

It is the beginning of wisdom when you recognize that the best you can do is choose which rules you want to live by, and it's persistent and aggravated imbecility to pretend you can live without any.

- Wallace Stegner

Terms of Service: Choosing Which Rules You Want to Live By

Terms of Service: Just Another Contract, Really

Your Terms of Service is a contract between your company and the users of your site/product/service.

Like any binding contract, it creates a set of mutual expectations and obligations – that you will provide the service, and that the user will use the service in accordance with the Terms.

Acting against that expectation – a breach of the contract – generally would be grounds for terminating use of the service.

Terms should be narrowly tailored to your business – a hardware store wouldn’t have a “raw or undercooked foods” warning sign

Compare some selected parts of the Terms of Service/Use of a couple of well-known companies: TwitPic and Foursquare

Use or Registration = Agreement

“By using Twitpic.com, you signify that you have read, understand and agree to be bound by these Terms and conditions.”

Silent on amendment process, if any, for regular “users” – separate government TOS includes language around amendments

Unclear whether “use” is akin to “registration” or includes passively accessing content (pictures)

“By registering for and/or using the Service in any manner, including but not limited to visiting or browsing the Site, you agree to all of the terms and conditions contained herein ("Terms of Use"), which also incorporate Foursquare's Privacy Policy, Foursquare's Intellectual Property Policy, Foursquare's Photo Guidelines, Foursquare's Venue Terms and Conditions, Foursquare's API License Agreement and all other operating rules, policies and procedures that may be published from time to time on the Site by Foursquare, each of which is incorporated by reference and each of which may be updated by Foursquare from time to time without notice to you in accordance with the terms set out under the "Modification of Terms of Use" section below. In addition, some services offered through the Service may be subject to additional terms and conditions specified by Foursquare from time to time; your use of such services is subject to those additional terms and conditions, which are incorporated into these Terms of Use by this reference. These Terms of Use apply to all users of the Service, including, without limitation, users who are contributors of content, information, and other materials or services on the Site, individual users of the Service, venues that access the Service, and users that have a page on the Service.”

A bit more useful, if overly legalese-y

Be clear about the definitions of “use,” “registration,” etc.

Adults Only?

“Twitpic is concerned about the safety and privacy of all its Users, especially children. Therefore, children under the age of 13 are not permitted to use Twitpic.com.”

You represent and warrant that if you are an individual, you are of legal age to form a binding contract, or that if you are registering on behalf of an entity, that you are authorized to enter into, and bind the entity to, these Terms of Use and register for the Service. The Service is not available to individuals who are younger than 13 years old. Foursquare may, in its sole discretion, refuse to offer the Service to any person or entity and change its eligibility criteria at any time. You are solely responsible for ensuring that these Terms of Use are in compliance with all laws, rules and regulations applicable to you and the right to access the Service is revoked where these Terms of Use or use of the Service is prohibited and, in such circumstances, you agree not to use or access the Site or Services in any way.

• Set an age limit of at least 13 unless geared towards kids.• Avoid the “Columbia House” problem.

Content / User Content Etc.

“TwitPic reserves the right to remove any image for any reason whatsoever. Specifically, any image uploaded that is pornographic or offensive in nature (including nudity, violence, sexual acts, or sexually provocative images.), infringes upon copyrights not held by the uploader, is illegal or violates any laws, will be immediately deleted and the IP address of the uploaded reported to authorities. Violating these terms may result in termination of your ability to upload further images. We reserve the right to ban any individual uploader or website domain from using our services for any reason.”

“We cannot be held liable for any damages. All data, photographs, videos, messages, graphics, comments, text, tags, or other materials ("Content"), are the sole responsibility of the person from whom such Content originated. You, and not Twitpic, are entirely responsible for all Content that you upload, post, email, transmit or otherwise make available through Twitpic. Twitpic does not control the Content posted and does not guarantee the accuracy or integrity of such Content.

“Twitpic shall not be liable for any statements or conduct of any third party using the service. By using Twitpic you may be exposed to Content that is indecent, objectionable or offensive.

Going to quickly flip to the actual TOS, as there is a lot in there about content.

Note the different flavors of Content specified

Never a bad idea to have different policies for different types of content: “If the User Submission includes a photograph, Foursquare's Photo Guidelines shall apply.”

Especially never a bad idea to spell out your (strongly held, opposed-to-it) position on child pornography: “Foursquare has a zero-tolerance policy against child pornography, and will terminate and report to the appropriate authorities any user who publishes or distributes child pornography.”

Spell out control mechanisms and disclaim liability for problematic content – but ensure that proper compliance methods established.

Termination

“TwitPic reserves the right to remove any image for any reason whatsoever. Specifically, any image uploaded that is pornographic or offensive in nature (including nudity, violence, sexual acts, or sexually provocative images.), infringes upon copyrights not held by the uploader, is illegal or violates any laws, will be immediately deleted and the IP address of the uploaded reported to authorities. Violating these terms may result in termination of your ability to upload further images. We reserve the right to ban any individual uploader or website domain from using our services for any reason.”

“Foursquare may terminate your access to all or any part of the Service and/or Add-to Link at any time, with or without cause, with or without notice, effective immediately, which may result in the forfeiture and destruction of all information associated with your membership. If you wish to terminate your account, you may do so by following the instructions on the Site. Any fees paid hereunder are non-refundable. All provisions of these Terms of Use which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.”

Generally, you want to be able to terminate for any reason, but also specify most-terminable violations (NB: paid v. free, conversion, etc.)

Indemnity

“You agree to indemnify and hold Twitpic, its officers and employees exempt from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of Content you submit, transmit, post or otherwise make available through Twitpic.”

“You shall defend, indemnify, and hold harmless Foursquare, its affiliates and each of its and its affiliates' employees, contractors, directors, suppliers and representatives from all losses, costs, actions, claims, damages, expenses (including reasonable legal costs) or liabilities, that arise from or relate to your use or misuse of, or access to, the Site, Service, Content, Add-to Link or otherwise from your User Submissions, violation of these Terms of Use, or infringement by you, or any third party using the your account, of any intellectual property or other right of any person or entity (save to the extent that a court of competent jurisdiction holds that such claim arose due to an act or omission of Foursquare). Foursquare reserves the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will assist and cooperate with Foursquare in asserting any available defenses.”

If a user violates your terms and causes actual damage to your business, ensure you have asserted your right to indemnification.

Miscellany

“You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Service or the Terms of Service must be filed within one (1) year after such claim or cause of action arose or be forever barred.”

“Data mining, "scraping", and/or unauthorized crawling of Twitpic by any means is prohibited unless explicit permission is given. Using any data from Twitpic (including images, data from images and/or users) that is not available through authorized channels is also prohibited unless explicit permission is given. Storing, saving and/or retaining images of any size is also prohibited.”

“Foursquare shall not be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond Foursquare's reasonable control, including, without limitation, mechanical, electronic or communications failure or degradation (including "line-noise" interference). These Terms of Use are personal to you, and are not assignable, transferable or sublicensable by you except with Foursquare's prior written consent. Foursquare may assign, transfer or delegate any of its rights and obligations hereunder without consent. No agency, partnership, joint venture, or employment relationship is created as a result of these Terms of Use and neither party has any authority of any kind to bind the other in any respect.”

Copyright Ownership and Licensing – Probably the Most Important Part of your Terms

Spell out your license that users grant you– along the lines of “By uploading content, you grant to [Company] a non-exclusive, worldwide, royalty-free, sub-licenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the content”

Facebook: “non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook. This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

Of course, users might not like it, but they are free to walk away.

You could also grant users a [worldwide, non-exclusive, non-sublicensable, non-transferable] license to use, modify and reproduce your own and your partners’ content, solely for personal use

If you have user-generated content, make sure you are very clear about UGC ownership.

“

”

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.

-David Brin

How to create a Privacy Policy that Works For People and Everyone Else

The Internet Is Still Not A Truck:It’s a Series of Tubes, and Has Very Little Respect for Geographic Boundaries

Email Monitoring Laws:

CT: Conn. Gen. Stat.§ 31-48d

Prior written notice to all employees required, advising of types of electronic monitoring which may occur.

Exception for suspected illegal activity

DE: Del. Code § 19-7-705

Employer must give a one-time written or electronic notice before monitoring email or Internet access or usage of an employee

Exceptions for maintenance and court orders

Only applies to companies with a “place of business” in Delaware

Misleading/False Privacy Policy Laws:

NE: NE Statute § 87-302 (14)

It’s a “deceptive trade practice” to “Knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.”

There’s also a bit about uninstalling spyware & (I think?) P2P clients, but that’s not an issue, right?

PA: 18 Pa. C.S.A. § 4107(a)(10)

Pretty much identical to Nebraska’s

California All The Way – PII & CA

S. 22577(a): The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

CA BUSINESS AND PROFESSIONS CODE SECTION 22575

(a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.

Back to 22575 For a Moment…

(b) The privacy policy required by subdivision (a) shall do all of the following:

(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service.

(4) Identify its effective date.

Seriously, California?

California also has a “Shine the Light Law” - CA Civil Code § 1798.83

Applies to companies that share any of 27 types of users’ PII with third parties for direct marketing purposes.

Safe harbor: Under 20 employees

If you need to comply with this, be sure to place a link on your homepage that says “Your Privacy Rights” or “Your California Privacy Rights”

Provide contact details for users who want further information

Respond to any such requests – don’t have a mailbox that goes unchecked for years

Need to have a brief statement explaining the law and how users can opt out of having PII shared with direct marketers.

From Topps’ website: “If you are a California resident, you are entitled by law to request certain information regarding Topps’ disclosure to third parties of personal information for their direct marketing purposes. To make such a request, submit a written request to the address listed in the Contact section below, or send an e-mail to privacypolicy@topps.com, specifying that you seek your "California Customer Privacy Notice." Please allow thirty days for a response.”

Oh, Massachusetts, You Too? Data Protection in the US is highly fragmented – see federal laws like FCRP (Fair Credit

Reporting Act), HIPAA (Health Insurance Portability and Accountability Act ), VPPA (Video Privacy Protection Act – applies to movie rentals, not ATM cameras. Yes, even Netflix records).

In 2010, Massachusetts’ data protection law, 201 CMR 17.00, became effective; while other states have enacted similar laws, this is almost certainly the most onerous.

Aimed at data security breaches, like TJX or Briar Group; puts onus on business that collected PII / customer data.

“Personal Information” is limited to “a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account”

If you’ve got a user in Massachusetts and you take credit cards, well… comply or risk $5,000 fines, in addition to the embarrassment of a security breach.

Requires a “Written Information Security Program,” applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts.

Also, all your vendor contracts must specify compliance with MA laws.

You’re Better Than That

The California laws sets minimum standards that all online businesses should adhere to as a matter of (a) compliance with respect to users in California and (b) getting on the road to best practices.

Doing the bare minimum shouldn’t be enough for the savvy entrepreneur.

Whether or not you need a WISP, having well-defined policies in place will go a long way towards establishing a solid culture of compliance.

Again, tailor your policies to your business – but consider how it might grow, and don’t be caught flat-footed, well-begun being half-done.

It’s really not that complicated:

Essential Elements of Privacy Policy

What Information Do You Collect?

Registration / User-Supplied Information

Biographical information, email address, etc.

Include data collected through 3rd Party Login (OAuth - FB Connect, Twitter)

Automatically Collected

O/S, browser, geolocation, referral links, etc.

Again, even if third party (Google Analytics)

Cookies (or the like)

Disclose if you use.

Essential Elements of Privacy Policy

What Do You DO With Said Information?

Purpose of collection (i.e., customizing user experience, sales, etc.)

Do you share it? And do you share the PII or aggregate data?

Internal recipients as well as third parties, and why?

Law Enforcement – Look for this landscape to change soon…

Transfer protocol in the event of a major corporate event – i.e., a sale of the company or bankruptcy

You take reasonable precautions with respect to security, etc.

How can users Change / Review stored information?

What Date was the policy last updated?

Essential Elements of Privacy Policy

California OPPA and Shine the Light elements

COPPA elements

European elements

Other Suggestions for Policy Drafting Make it easy to read, use short sentences and prefer the active voice.

Include links to definitions of jargon-y concepts if they’re unavoidable.

“HTML 5? I loved their show at Roseland!”

Don’t make promises you aren’t sure you can keep.

Pro-Tip: You aren’t going to be sure you can keep any promises.

“We’ll NEVER share your data! Not even with the NSA!”

Could pose a problem in the event of a security breach

Consider a simplified summary of the key elements up front, followed by a more fulsome discussion.

Have someone other than your attorney read it.

A Word or 205 on COPPA The Children’s Online Privacy Protection Act applies to sites allowing users under 13

Enacted in 1998, effective in 2000, rules promulgated by the Federal Trade Commission

The FTC has a very helpful FAQ on FTC.gov, “Complying with COPPA: Frequently Asked Questions”

Thankfully, the Rule has a safe harbor: “COPPA covers operators of general audience Web sites or online services only where such operators have actual knowledge that a child under age 13 is the person providing personal information.” (from said FAQ)

Twitpic’s Privacy Policy: “The Site is not directed to persons under 13. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with personal identifiable Information, we will delete such information from our system.”

Foursquare’s: “ The Service is not available to individuals who are younger than 13 years old.”

Doesn’t address what happens if a child manages to sign up

Bottom Line: If you’re marketing to kids at all, COPPA compliance is extremely important.

Sample COPPA Compliance (Actually Marketing to Kids)

At Topps, children’s privacy is important to us. We are committed to providing fun, entertaining, and secure Sites for all ages, particularly our younger users. Therefore, we have implemented the special measures described below to help children protect their privacy while online.

Information We Collect: There are many activities on the Topps Sites or portions of Sites directed to children that children can participate in and enjoy without providing personally identifiable information. To enable their participation in some of our interactive features (e.g., contests, newsletters, online games, electronic postcards to family or friends), children will need to provide us with certain personally identifiable information. The types of personally identifiable information is typically limited to first name and e-mail addresses. We also may ask users to provide certain information that is not personally identifiable, such as city or state of residence, date of birth and gender.

Use and Disclosure of Information: To participate in certain features, we may ask a visitor to register. When users who attempt to register indicate that they are children, depending on their age or location, we either collect no personally identifiable information from them or inform them that a parent or guardian’s consent is necessary to participate in the activity. To obtain consent, we will collect the e-mail address of the visitor’s parent or guardian in addition to that of the visitor. We use the parent or guardian’s e-mail address to obtain consent or notify parents or guardians of their child’s online activities and to enable them to unsubscribe the child from a newsletter or other similar activity. For visitors that we know are children, we will not condition participation in an online activity on the disclosure of more personally identifiable information than reasonably necessary to participate in the activity.

Unless we indicate otherwise or obtain consent, personally identifiable information collected from children is generally used by Topps or Topps’ agent and contractors for internal purposes, such as enabling visitors to enter our online contests or sweepstakes, to subscribe to an online newsletter, to play an online game, to provide customer service, and/or for the purposes for which the information was provided. We do not share children’s personally identifiable information with outside third parties not bound by this Policy for their own marketing purposes.

We may share children’s personally identifiable information with third parties to the extent reasonably necessary to: protect the security or integrity of our Sites; take precautions against liability; respond to judicial process or law enforcement agency request or investigation; or to the extent permitted by law or consistent with this policy or legal requirements.

Reviewing Information/Contact: If you would like to review any personally identifiable information that we have collected online from your child, have this information deleted, and/or request that there be no further collection or use of your child’s information or if you have questions about these information practices, you may email us at privacypolicy@topps.com; write to us at Topps US, One Whitehall Street New York, NY 10004; or call us at 1-888-GOTOPPS.

Going Global?

The European Union and its member states are, to put it mildly, difficult when it comes to data protection and privacy.

If you’re doing business in Europe, you’ll need to follow the EU’s Data Protection Directive – soon to be supplanted by a new Directive, the General Data Protection Regulation.

Seriously, consult a lawyer who knows what she’s doing to help shape your data protection regime if you’re transacting globally.

Example of some added language for EU requirements: “As Topps operates globally, we may need to transfer to and process personally identifiable information about you on our servers in the United States. Please note that the data protection laws of other countries, such as the United States, may not offer a level of privacy protection equivalent to that within the European Economic Area or your home country. Be assured, however, that we will take reasonable steps to protect personally identifiable information collected at our Sites. By using this Site, you expressly consent to such transfer.”

Thanks For Joining Me!

I guess it’s Q & A time then

(Assuming, of course, I haven’t blathered on for the full 2 hours)