How Not to Do Website Terms of Use

Client: Hi Paul, we need website terms of use and a privacy policy. We want to save money, so we’ve copied the terms of use and privacy policy for XYZ company, which has a similar product. Please review it for us so we can post it when we launch next week.

Me: [facepalm repeatedly]

This is the classic and all-too-common scenario, and it’s completely the wrong way for a startup to do their website terms of use and privacy policy. First, it’s blatant copyright infringement. Just swapping out your company name for their company name isn’t exactly going to fool anyone.

Second, just because XYZ has a similar product, or operates in roughly the same space, doesn’t mean that they operate exactly how you operate in every single respect. Nor does it mean that their policies and practices will suit your tastes. So unless you plan on copying all of XYZ’s internal policies and practices and operating procedures, much of what is in that terms of use and privacy policy simply won’t be an accurate reflection of your company.

Third, who’s to say that the terms of use or privacy policy that you copied from someone else’s website is any good? It could be a hot mess. They could have copied their terms of use from some company that’s completely unrelated in every way.

As the CEO of a startup, your job is much bigger than just writing software code. You have to run the company. That means putting the time into things like what will go into your terms of use, and developing information collection and handling practices that are accurately reflected in your privacy policy. You have to be intentional about this. When you just send me a terms of use that you copied from someone else, I’m going to push back, and ask you to describe your business model and practices. If you can’t do that, it tells me you haven’t put the time into it yet.

This is an important process, and you cut corners at your risk, and the risk of your investors. Terms of use, if done right, form a binding contract between your company and its customers, a contract that favors you and puts your company in a strong position. Done poorly, and you’re litigating with a customer in a court in Fairbanks, Alaska in February. Privacy policies are increasingly important as states like California, with 38 million residents, pass more and more restrictions on how you can collect and use customer data. You don’t just face the risk of class-action lawsuits, you also have to worry about FTC investigations and fines. Spending your time and money to do things right from the start will save you money, time, and headaches down the road.



Why is this so hard???
Why did I say that??

Famous last words. How many times has a company told you they would never sell your personal information, in order to get you to sign up, give them your name, your email, your phone number? It sounds great. Hey, I can trust those guys, they will protect my information. And the company is probably sincere when it says that to you.

The problem is that we live in the age of Big Data. For many companies, the most valuable asset they own is their database about their customers. Would Facebook have any value at all without all that information about you and your Facebook friends? Promises not to share or sell customer information can come back to bite your company in the ass. Don’t take my word for it. Just ask Radio Shack.

Radio Shack recently filed for bankruptcy, closing hundreds of stores nationwide. When it filed its bankruptcy petition, Radio Shack stated that it intended to sell customer records, along with other assets, to raise money to pay off its creditors. The Texas Attorney General filed an objection, and then a bunch of other state attorneys general and the Federal Trade Commission filed similar objections. They claimed that selling customer data would violate Radio Shack’s privacy policy, which contained a provision that consumers’ personally identifiable information would not be sold. To sell customer data, therefore, would violate the Texas Deceptive Trade Practices Act (and many similar state and federal laws), which prohibits false or deceptive practices in the conduct of trade or commerce.

The result of all this was that Radio Shack had to enter into an agreement with a number of parties, substantially limiting its ability to sell 117 million customer records. That’s 117,000,000 customer records. Instead of being able to sell the entire set of data, which would include credit and debit card information, transaction history, phone numbers, mailing addresses, and email addresses, Radio Shack has to destroy most of the data and can sell only a subset of the email addresses. And that subset of email addresses is also subject to various restrictions. Consequently, the data asset is of far less value to Radio Shack than originally anticipated.

This problem doesn’t just arise in bankruptcy cases. It could happen with a merger or acquisition, where a company’s database of customer information is an asset being transferred to a new owner. A poorly thought-out promise in the company’s privacy policy could substantially reduce the sale price, or even kill the sale outright.

The bottom line is, don’t make promises you may not want to keep. When creating a privacy policy, it’s important to preserve some room to include customer data as an asset being transferred in connection with the sale or change of ownership of the business. Failing to do so could substantially lower the value of your business, as well as open you up to lawsuits.

Online Privacy Rights for Minors

In a previous post, I wrote about a new California law addressing online privacy rights of minors. That law (California Business & Professions Code Section 22580 to 22582), which took effect on January 1, 2015, does a couple of things. As I wrote in the previous post, the law restricts the kinds of products that can be marketed online to minors under the age of 18. The second thing the new law does is impose content-removal obligations on these website and mobile app operators. That is the subject of this post. The law protects minors who live in California, but it broadly applies to websites and mobile apps located anywhere, if they have users located in California. Since California has more than 9 million residents under the age of 18, out-of-state website and mobile app operators cannot afford to assume that the law doesn’t reach them.

These new content-removal obligations apply to websites and mobile apps that are directed at minors, and also at any websites or mobile apps where the operator has actual knowledge that minors are using it. The operators of these websites and apps must permit minors who are registered users to remove or, if the operator prefers, request and obtain removal of, content or information posted by that registered user. The operator also must notify minors who are registered users that they have these content-removal rights, and provide clear instructions on how to go about getting content or information removed. The operator also has to notify the minors who are registered users that the removal does not ensure complete or comprehensive removal of the content or information.

The operator (or a third party) does not have to erase or eliminate the content or information in any of the following circumstances:

  1. If any other provision of state or federal law requires keeping that content or information.
  2. If the content or information was stored on or posted to the website or mobile app by a third party other than the minor, including content or information that was posted by the minor that the third party has republished or reposted.
  3. If the operator anonymizes the information posted by the minor, so that the minor cannot be individually identified.
  4. If the minor does not follow the instructions on how to obtain the removal of the content.
  5. If the minor has received some kind of compensation for posting the content.

An operator will be considered in compliance with its obligations if it makes the content no longer visible to registered users or the public, even if the content still remains on the operator’s servers. Also, the operator will be in compliance if it removes the content, and then the content remains visible because a third party has reposted it.

If you are operating a website or mobile app directed at minors, or if you know that minors are using your website or app, now is a good time to start implementing procedures to comply with this new law. You will need to set up a mechanism for minors to remove content themselves, or you will need a mechanism for minors to request that you remove the content. You will also need notice provisions. While you might try to implement these changes only with respect to minors who are in California, it may be easier to grant the same rights to minors no matter where they live. Finally, this new law will also require changes to your website’s (or app’s) terms of use and privacy policy.

Follow me on Twitter @PaulHSpitz


FTC Slaps Yelp on Children’s Online Privacy

Head in HandsYou might think that only companies that operate websites directed at children need to worry about complying with COPPA, the Children’s Online Privacy Protection Act. A recent case involving Yelp, the online review site, however, shows that websites that aren’t specifically geared towards children need to worry about COPPA, too. Yelp recently reached an agreement with the Federal Trade Commission to settle charges that it had violated COPPA. Yelp agreed to pay $450,000 in civil penalties.

So what happened to bring the wrath of the FTC down on Yelp, every retailer’s favorite review site? The FTC claimed that Yelp had collected personal information from children over a four-year period that began when Yelp’s mobile app launched in 2009. According to the FTC, when users registered with the Yelp site and entered a date of birth showing that they were under the age of 13, Yelp collected the person’s name, e-mail address, and location. COPPA requires that prior to collecting such information from children under the age of 13, a website operator must notify the child’s parent or guardian and get the parent or guardian’s express consent. The FTC claimed that Yelp did not take these actions with respect to thousands of registered users, even though Yelp could tell from the registration information that they were triggering COPPA. The FTC also claimed that Yelp failed to implement or properly test its apps to ensure that children under the age of 13 could not register.

In addition to paying a $450,000 penalty, Yelp agreed to delete the information it had collected about children who had registered, and to comply with COPPA going forward.

Why is the Yelp case important? There are two reasons:

• First, the settlement shows that COPPA applies to mobile apps, in addition to conventional websites.
• Second, the case shows that website and app operators need to worry about COPPA, even if their site or app isn’t directed specifically at children. If your website or app is collecting personal information about users, you need to consider whether some of those users might be under the age of 13. If you are collecting information about children under the age of 13, COPPA applies. So you have two options at this point. You can develop COPPA compliance procedures, or you can implement software tools to block users under the age of 13 from registering and providing personal information.

Follow me on Twitter @PaulHSpitz

Children’s Online Privacy Compliance – Part 2

In my last post, I discussed how to determine if your website or mobile app collects personal information from children under the age of 13, which would make it subject to the Children’s Online Privacy Protection Act (COPPA). In today’s post, I’ll discuss posting a privacy policy that complies with COPPA. Such a policy has to clearly describe how personal information collected from children under age 13 is handled. Not only must this privacy policy describe how you handle the information, it has to describe the information handling practices of others that collect personal information through your site or app (such as plug-in services or advertising networks). 
In a previous post, I discussed general principles for privacy policies. For example, you should provide a prominent link to your privacy policy on your website, ideally using a larger font or different color. Companies subject to COPPA need to go further, by posting a link to the privacy policy wherever they collect personal information from children under the age of 13. For example, if your website is designed for a general audience, but you have a separate section for kids, there should be a link to the privacy policy on the homepage, as well as on the main page for the kids’ section.To comply with COPPA, your privacy policy must include three things:

  1. A list of all operators collecting personal information;
  2. A description of the personal information collected and how it is used; and
  3. A description of parental rights.

List of Operators

You will need to provide a list of all operators, including third parties, that collect personal information from kids. The list must include the name and contact information for each operator. If you have several operators collecting information, you can provide contact information for only one, as long as that operator agrees to respond to all inquiries from parents about your site or service’s practices. You will still have to list the names of all the other operators, however.

Description of Personal Information Collected

The policy must also describe:

  • The types of personal information collected from children (such as name, address, e-mail address, hobbies, etc.)
  • How the information is collected (for example, is it collected actively by filling out a form, or passively, through cookies?)
  • How the information will be used (marketing to the child, notifying winners of contests, allowing the child to make information publicly available through a forum or chat room, etc.)
  • Whether any personal information is disclosed to third parties, and if so, what kinds of third parties and how they use the information.

Description of Parental Rights

Finally, the policy must describe the rights parents have with respect to your collection of personal information:

  • That you won’t require a child to disclose any more information that is reasonably necessary to participate in an activity
  • That parents can review their child’s personal information, and direct you to delete it, and refuse to allow any further collection or use of personal information from their child
  • That parents can agree to the collection and use of their child’s personal information, but still refuse to allow disclosure to third parties unless that is a part of the service (for example, social networks)
  • The procedures parents need to follow to exercise these rights.

As the various requirements for a privacy policy show, you must put a great deal of thought into how your website or service operates, in order to make the proper disclosures. In addition, there is a substantial amount of programming involved, so that parents can properly exercise their rights to delete personal information or limit its collection and use.

In the next installment, I will discuss the issues of parental notification and consent.

Follow me on Twitter @PaulHSpitz