Our firm has taken note of a disturbing wave of class action lawsuits against both large and small companies who sell goods and services online, or who use their websites to drive traffic to their physical locations. Some of these lawsuits are based on a company’s failure to make its website accessible to the disabled (which many businesses do not even know they must do). There are several steps businesses can take in order to avoid being a target of one of these lawsuits. This blog post is designed to alert business owners to some of these steps.
Posting Requirements
The first step a business can take to protect itself is to ensure that it has a compliant Privacy Policy, Terms of Use and Web Accessibility Statement posted on its website. Additionally, separate hyperlinks for Terms of Use, Privacy Policy, Your California Privacy Rights (discussed below) and Web Accessibility should be clearly and conspicuously posted in the same font and size on each page of a website, usually at the bottom. The “Your California Privacy Rights,” link should take the user to the relevant paragraph(s) of the Privacy Policy that contain the provisions specific to California residents, whereas the “Privacy Policy” link should take the user to the beginning of the entire Privacy Policy.
The hyperlinks to the foregoing policies should be obvious to the user (e.g., in at least 12-point font, in visible coloring). When a user clicks on the applicable hyperlink, it should immediately display the Terms of Use, Privacy Policy and Web Accessibility Policy/Online Access Statement and should not requiring the user to click on a series of hyperlinks to view each. Links should be evident on every webpage of the website as opposed to only on the home page and should not require a search of any sort. This also increases the likelihood that a user will be charged with having read the policies and thus bound by them.
Changes and Updates
Businesses should include language in their Terms of Use, Privacy Policy and Web Accessibility Policy that allows for and alerts users that there may be changes in such policies from time to time in the company’s sole discretion. Experienced counsel can assist with implementing any material changes in such policies and practices.
Privacy Policy Updates
Certain sections in a Privacy Policy, such as descriptions of the types of personally identifiable information a business collects and how that information is used and shared may need to be modified based on the company’s current practices and any practices it intends to adopt in the future. A company may choose to describe such practices broadly to cover activities it intends to engage in at a later date, and it may also opt to delete references to practices that are no longer applicable to its business and intended activities. Any material changes to a company’s privacy practices should be reflected in an updated Privacy Policy and possibly a click wrap acknowledgment or an email notification to customers if such changes are significant.
At a minimum, a company’s Privacy Policy should be reviewed and updated every 6-12 months. A business may be subject to enforcement sanctions by regulatory authorities and liability in private lawsuits if its data collection practices change and its Privacy Policy fails to accurately describe those changed practices. The effective date listed at the top of a company’s Privacy Policy should match the date that the Privacy Policy was last updated in order to alert users to the effective date of any changes (whether due to changes in applicable law or to the company’s practices) as Privacy Policy changes cannot be made retroactive. By regularly updating its Privacy Policy, a business documents its good faith effort to stay current and comply with all applicable privacy regulations.
Material Changes Triggering Notification
Users must be notified of any “material” changes to a company’s Privacy Policy (meaning changes that affect important rights), and consent may be required. By way of example and not limitation, a “material change” would include sharing user information with third parties after committing at the time of collection not to share such data or making any other changes that significantly expand the sharing of user information and/or change the manner in which that information is used.
Watchdog Policy in California
As of October 14, 2016, it is now much easier for privacy violations to be reported by individual users, competitors, etc., and monitored by regulatory authorities. Missing or inaccurate information or other perceived violations of the California Online Privacy Protection Act (CalOPPA) can be reported at any time through use of this form.
GDPR
The General Data Protection Regulation (GDPR) regulates the processing of data within the European Union and sets forth even more requirements to include in the Privacy Policy. The GDPR has strict, global requirements for companies that deal with residents of the European Union (EU). If a company does any business in the EU (such as selling goods to EU residents), it must comply with the GDPR and include all required information in its Privacy Policy. Experienced counsel can assist a business in meeting these requirements and updating its Privacy Policy accordingly.
Terms of Use
Arbitration and Class Action Waiver
A business can attempt to require arbitration of disputes and avoid class action lawsuits by including certain waiver language in its website Terms of Use. Companies should first consult with experienced counsel prior to implementing these safeguards, as there are certain requirements in order for such terms to be enforceable.
Click-Wrap Agreements
Click-wrap agreements increase the likelihood that website Terms of Use and other online policies will be enforceable against users (especially with respect to enforcing the limitations of liability, arbitration clause, class action waiver, disclaimer of warranties and other legal clauses and disclaimers in the event of a lawsuit). Click-wrap agreements require the user to take an affirmative action indicating assent (such as checking an unchecked box or clicking on an “I Agree” tab confirming that a user has read and accepted the Terms of Use).
Click-wrap agreements can and should be designed to appear when users first visit the website, during the sign up process (if registering for an account is required to participate in any activities/services), and as close as possible to any point of purchase. Click-wrap agreements may also appear before a user is able to download any applications or materials from the website, upon implementation of any important terms, or when material changes to the Terms of Use are made. Important transactions should be designed so that, if the user does not check the box manifesting assent to the Terms of Use, the user cannot proceed with the transaction.
An example of a click-wrap agreement would be a check box adjacent to a statement such as: “By checking this box, you are indicating that you have read, accepted and agree to our Terms of Use” with a hyperlink to the Terms of Use.
Designation of Copyright Agent to Receive DMCA Notices
The Digital Millennium Copyright Act safe harbor protections (which should be set forth in Terms of Use) are only available if a business has registered an agent with the United States Copyright Office to receive notices of alleged infringement prior to the alleged infringement. Related or affiliated service providers that are separate legal entities (for example, corporate parents and subsidiaries) must each make a separate designation of an agent. Joint designations are not allowed.
To satisfy the statutory and regulatory requirements for designating an agent, not only must a business register a designated agent with the United States Copyright Office, but it must also provide the designated agent’s contact information in its Terms of Use, including all of the following information:
- name
- physical mailing address
- telephone number
- email address
The designated agent’s contact information in a company’s Terms of Use should match the information submitted via the electronic registration system.
The Copyright Office provides information on the requirements and process for registering an agent on its website. As of December 2016, businesses must designate agents via an electronic system (paper designations are no longer accepted). All existing paper designations must be re-filed and electronic designations must be renewed every three (3) years. Step by step instructions on registering an agent are available at https://www.copyright.gov/dmca-directory/help.html.
Website Accessibility Policy
What is WCAG?
Web Content Accessibility Guidelines (WCAG) were developed in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. The WCAG documents explain how to make web content more accessible to people with disabilities. Web “content” generally refers to the information in and on a web page or web application, including natural information such as text, images, and sounds, as well as code or markup that defines structure, presentation, etc.
Posting
Best practice is for a business to have a Website Accessibility Policy and/or Online Accessibility Statement posted conspicuously on its website. Although not an express requirement under any law at this time and not bulletproof, posting a Web Accessibility Policy/Online Access Statement will prevent a business from being the proverbial low-lying fruit for plaintiff’s attorneys, who are suing companies right and left for not complying with WCAG 2.0 and 2.1 (published on December 11, 2008 and June 5, 2018 respectively). Posting such a policy may indicate that a business: (i) has already settled a case and is working to resolve any deficiencies with respect to website accessibility compliance under the Americans with Disabilities Act, or 2) may not be out of compliance enough to warrant a demand or lawsuit.
Summary
It is crucial that both small and large businesses have Terms of Use, a Privacy Policy and a Website Accessibility Policy/Online Access Statement posted conspicuously on their websites. Doing so can help a company avoid costly lawsuits and attain some of peace of mind. Prior to implementing any such policies or making changes to existing policies, a business should consult with experienced counsel.
Contact Legal Professional
The information provided herein does not, and is not intended to, constitute legal advice; instead all information, content, and materials are for general informational purposes only.
If you have any questions, please contact Carmel & Naccasha, and for more details, read our full disclaimer.
The attorneys at Carmel & Naccasha LLP have extensive experience drafting and revising Terms of Use, Privacy Policies and Online Access Statements and Policies. Please contact Emilie Elliott via our contact page or by phone (805) 546-8785 if you have any questions about the information contained herein, or if we can help you with the implementation of any of these policies.
