drafting website and mobile app terms of use, privacy...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Drafting Website and Mobile App Terms
of Use, Privacy Policy and IP Protections
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, OCTOBER 25, 2017
Julia B. Jacobson, Partner, K&L Gates, Boston
A. Benjamin Klaber, Morgan Lewis & Bockius, Pittsburgh
Richard C. Vershave, Fraser Trebilcock, Lansing, Mich.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
© 2015 Morgan, Lewis & Bockius LLP
TERMS OF USE/SERVICE
STRAFFORD WEBINAR Ben Klaber October 25, 2017
Introduction
• Stay Principled
Enforceability
Notable Provisions
Terms and Policies and Guidelines…oh my
6
Enforceability
• Example Structures
Click-Wrap
Browse-Wrap (or hybrid)
Notice-Wrap
E-Warranty, Email, etc.
• Bottom Line: Awareness, Access and Assent
Customize: Understand the business, technology and user experience
7
Enforceability
• Click-Wrap Agreements
“I Accept” clicked – Terms generally enforceable
Maintain records; control access (see Kearney v. Okemo LLC)
8
Enforceability
• Click-Wrap Example
9
Enforceability
• Browse-Wrap Agreements
No “I Accept” – Enforceability issues
User awareness likely?
Terms readily available?
Tompkins v. 23andMe, Inc. (later registration sufficient for terms to be binding)
10
Enforceability
11
• Browse-Wrap Example (Home Page)
HAS ANYBODY SEEN MY TERMS?!
Enforceability
• Nguyen v. Barnes & Noble
– link one of several at bottom of page
– No actual or constructive notice
– arbitration provision unenforceable
– Discussion regarding design and content
References/directions?
Placement (field of vision)?
Conspicuous?
Reasonably prudent user – inquiry notice?
12
Enforceability
13
• Hybrid Example (“Sign up”)
See Fteja v. Facebook (discussion of click-wrap, browse wrap, etc.)
• Fteja v. Facebook
Enforceability
14
• Hybrid Example (“Download” with scroll)
Enforceability
• Notice-Wrap Agreements
No “I Accept” – Enforceability issues
Like Browse-Wrap, user awareness and access?
Option to close alert – supports awareness argument
Nicosia v. Amazon (arbitration provision added after account opened – should be clear and conspicuous)
15
Enforceability
• Click-Wrap Updates
16
Enforceability
17
• Other Example Structures
E-Warranty (E-Warranty Act)
Enforceability
• Nature and actions of user impact enforceability
Nguyen v. Barnes & Noble (terms unenforceable against consumers but business relationships distinguishable)
Register v. Vario (terms binding where repeated access to site)
• Unconscionability
Comb v. PayPal
Facts and Circumstances
18
• Best Practices
View terms before assent (textual notice, placement, size,
color, etc.)
Assent before access to product
Clear disclosure of terms - Notice of consequences of accept/reject
Clear method of assent ( “I Accept”)
If necessary, be creative/persistent (e.g., registration)
Enforceability
19
• Best Practices (cont.)
Record of assent (or IT restrictions)
Customary/reasonable agreement terms
Notice and acceptance of updates
Enforceability
20
Notable Provisions
21
• Changes
We may modify at any time
Changes effective immediately upon posting/disclosure
CONSIDER: notice period for material changes
Access/use following change constitutes acceptance
Then-effective terms apply to disputes (not retroactive)
Notable Provisions
22
• Dispute Resolution: NOT Best Practices
Notable Provisions
23
• Dispute Resolution: Best Practices
See also Roblox terms
Notable Provisions
• Limitations of Liability
Separate materially different concepts
– Direct Damages (i.e., no liability whatsoever)
– Consequential, incidental, etc. damages
– Liability Cap (FYI: 0 + 0 = 0)
– Disclaimers (e.g., third party software/content)
DETERMINE: Legitimate remedy? Conspicuous?
CONSIDER: interaction with other provisions
24
Notable Provisions
• Severability
Limit uneforceability to specific jurisdiction
Enforce provision to maximum extent permissible
All other provisions remain effective
Isolate questionable provisions
25
Notable Provisions
• Indemnification
Any activity (account/credentials)
Content
Breach
CONSIDER: specific risks/uses
26
Notable Provisions
• Privacy
Expressly incorporate by reference (DISCUSS)
– User agrees to Privacy Policy terms
– Include link to the Privacy Policy
Clear, accurate and transparent
CONSIDER: industry context
27
Notable Provisions
• Data Rights
Often key to business strategy
Related to providing, customizing and improving service
Don’t forget de-identified data
User warrants: authorized, complete, accurate and current
28
Terms, Policies, etc.
29
• Spoke Structure
Supplemental terms may apply to some services/content
Such terms are additional
Access/use constitutes user acceptance
Order of precedence
Terms, Policies, etc.
30
• Deemed Acceptance
By: accessing, using, visiting, downloading, registering, attending, etc.
Any: websites, products, services, software, applications, platforms, portals, content, test environments, data feeds, forums, events, etc.
User signifies agreement to these Terms and the following, all of which are incorporated by reference and shall be included within the definition of Terms: [e.g., Privacy Policy, EULA, Trademark Guidelines, etc.].”
Summary
31
• Terms of Use/Service
Conspicuous
Accessible
Clear
Reasonable
Expressly accepted (including updates)
Access controlled and documented
Tech&Sourcing@MorganLewis Blog
32
About Tech & Sourcing @ Morgan Lewis
• Morgan Lewis’s Tech & Sourcing @ Morgan Lewis blog highlights the latest developments and trends affecting technology, outsourcing, and other commercial transactions.
• https://www.morganlewis.com/blogs/sourcingatmorganlewis
• Contract Corner on the Blog:
• https://www.morganlewis.com/blogs/sourcingatmorganlewis/2016/12/contract-corner-2016-anthology
• https://www.morganlewis.com/blogs/sourcingatmorganlewis/2017/04/contract-corner-standard-terms-in-the-iot-age
This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar
outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising.
© 2017 Morgan, Lewis & Bockius LLP
THANK YOU (THAT’S A “WRAP”)
33
Biography
34
A. Benjamin “Ben” Klaber practices on a Morgan Lewis team that counsels clients on technology, outsourcing, and commercial transactions, intellectual property matters, mergers and acquisitions, private equity, venture capital, and general corporate matters. Ben earned his J.D. from the University of Pittsburgh School of Law and his B.S.E. in operations research and financial engineering from Princeton University. He is a member of the Emerging Leadership Board of the Pittsburgh Venture Capital Association.
A. Benjamin Klaber Pittsburgh
T +1.412.560.7422
© Copyright 2017 by K&L Gates LLP. All rights reserved.
Julia B. Jacobson, Partner K&L Gates LLP (Boston)
Part II: Drafting Privacy Policies October 25, 2017
WHAT IS A PRIVACY POLICY?
A privacy policy” describes how a website,
mobile application or other Internet-connected
service collects, uses, stores, shares, transfers
and otherwise processes personal information.
Contrast:
GLBA: privacy notice (model forms, 16 CFR §313,
Appendix A)
HIPAA: notice of privacy practices (model forms
available)
klgates.com 36
Legal Landscape
klgates.com 37
WHEN IS A PRIVACY POLICY REQUIRED?
FTC: “…all websites and online services –
particularly those directed to children – post
privacy policies online so visitors can easily
learn about the operator’s information practices.”
Personal information is “not yet linked to a
particular consumer, computer, or device but
that may reasonably become so”
klgates.com 38
WHEN IS A PRIVACY POLICY REQUIRED?
Children’s Online Privacy Protection Act
(COPPA) - 15 USC §6502
Requires verifiable parental consent before personal
information is collected online from children under
age 13
Personal information
Broadly defined - includes persistent identifiers (e.g. device
identifiers, MAC addresses, static IP addresses and cookies)
and geolocation information (among others) are personal
information when
klgates.com 39
WHEN IS A PRIVACY POLICY REQUIRED?
Delaware Online Privacy and Protection Act
(DOPPA)
An operator … that collects personally identifiable
information … about individual users residing in
Delaware … shall make its privacy policy
conspicuously available...
“… any personally identifiable information …
concerning the user…”
klgates.com 40
WHEN IS A PRIVACY POLICY REQUIRED?
California Online Privacy Protection Act
(CalOPPA)
“how the operator responds to Web browser ‘do
not track’ signals or other mechanisms”
“that provide consumers the ability to exercise choice
regarding the collection of personally identifiable
information”
“about an individual consumer's online activities over
time and across third-party Web sites or online
services”
klgates.com 41
WHEN IS A PRIVACY POLICY REQUIRED?
Oregon Consumer Protection Act
a company engages in an unlawful trade practice if it
“publishes on a website .. a statement [asserting] that
the person… will use, disclose, collect, maintain,
delete or dispose of information that the person
requests, requires or receives from a consumer and
the person uses, discloses, collects, maintains,
deletes or disposes of the information in a manner
that is materially inconsistent with the person’s
statement …”
klgates.com 42
WHEN IS A PRIVACY POLICY REQUIRED?
EU-US Privacy Shield – if a business decides to
self-certify for user (vs. HR) data, then (among
other steps) then its privacy policy must include:
Statement that the business conforms to the Privacy
Shield Principles
Notice about personal information collection practices
Choices for limiting use/disclosure of personal
information
Link to https://www.privacyshield.gov/
Link to independent recourse mechanism information
klgates.com 43
Before Drafting
klgates.com 44
TO WHAT DOES OR WILL THE PRIVACY
POLICY APPLY?
Figure out who is responsible for the
website/app/service and who is responsible for
the information collected
Does the website/mobile app/digital service
collect information? If so, is it personal
information? Is any of the personal information collected “sensitive”?
Is any tracking data collected (including data that is not personal
information)? If yes, is it stored, shared and/or aggregated?
klgates.com 45
How is personal information collected and used?
Direct (consumer provides) and indirect (tracking
data) collection
Do third parties collect and use information?
If yes: which third parties?
If no: are you sure?
Are consumers tracked across devices and platforms?
How is personal information shared, disclosed or
transferred?
Insiders vs. outsiders
Outside the US
klgates.com 46
TO WHAT DOES OR WILL THE PRIVACY
POLICY APPLY?
Drafting the Privacy Policy
klgates.com 47
HOW TO DRAFT A PRIVACY POLICY
Clear, accurate and transparent disclosures
Clear: Understandable to intended audience
Accurate: “Say what you do and do what you
say”
Transparent: Highlight collection and uses
that are unusual or unexpected from the
consumer’s perspective and from context
klgates.com 48
FTC Enforcement - In re Nomi Technologies
(April 23, 2015)
Nomi’s privacy policy represented that: (1) consumers
could opt out of Nomi’s service at retail locations and
(2) consumers would receive notice when a retail
location uses Nomi’s service.
Nomi did not provide an opt-out mechanism at
customers’ retail locations and neither Nomi nor its
customers disclosed to consumers when Nomi’s
service was used at a retail location.
klgates.com 49
HOW NOT TO DRAFT A PRIVACY POLICY
HOW TO DRAFT A PRIVACY POLICY
Define what is and is not personal information
“aggregated,” “anonymous” and “de-identified”
“We never share your information.”
Eraser provision for California minors
When user-generated content is accepted
“Your personal information is safe with us.”
klgates.com 50
HOW NOT TO DRAFT A PRIVACY POLICY
FTC Enforcement - FTC v. AshleyMadison.com
(Dec. 14, 2016)
Ashley Madison privacy policy (~2015): “We treat
data as an asset that must be protected against loss
and unauthorized access. To safeguard confidentiality
and security of your PII, we use industry standard
practices and technologies including but not limited to
“firewalls,” encrypted transmission via SSL (Secure
Socket Layer) and strong data encryption of sensitive
personal and/or financial information when it is stored
to disk.”
klgates.com 51
Posting the Privacy Policy
klgates.com 52
CONSENT TO PRIVACY POLICY
When to obtain
First use, download or access – prior to or concurrent
with collection of personal information
Material Changes (see Notification below)
How to obtain
Bundled or unbundled consent
Browsewrap, Clickwrap, Scrollwrap
klgates.com 53
MONITOR
Conduct ongoing monitoring
Do privacy policy disclosures match activities?
Any change in functionality or practices?
Any unauthorized third party collecting information?
Monitoring software and services (e.g., Ghostery)
Plans for future changes?
Update privacy policy to reflect new practices
klgates.com 54
CHANGES TO PRIVACY POLICY
Are updates material?
Do updates have retroactive effect?
FTC: “...give prominent disclosures and to obtain express
affirmative consent for material retroactive changes. ”
Do updates involve sensitive information?
What does the current privacy policy say about updates?
Notice to users
Banner on landing page
Pop-up notice when users log in
Send emails
Blog posts
klgates.com 55
WRAP UP
Audit — be thorough
Draft — draft based on audit
Consent — how and when to obtain
Monitor — periodically
Update — new and changed practices
Notify — about new and changed practices
klgates.com 56
Intellectual Property
klgates.com 57
INTELLECTUAL PROPERTY
Ownership and Rights
Proprietary/licensed software, content, etc.
Feedback
User Content
Data
Potentially Additional EULA(s)
klgates.com 58
INTELLECTUAL PROPERTY
Use Restrictions
User Content - Limitations
Third Party Rights (e.g., plug-ins)
Termination/Suspension
klgates.com 59
INTELLECTUAL PROPERTY
Copyright & DMCA
Trademarks
klgates.com 60
Emerging Topics
klgates.com 61
EMERGING ISSUES INTERNET OF THINGS (IoT)
Contract Distancing
Children IoT
Privacy
End of Life
62
Terms
Goo goo
“Say ‘Goo goo’ if you consent.”
EMERGING ISSUES
Global (GDPR)
Biometrics and Locations
Law Enforcement
63
CHANGING LANDSCAPE
THANK YOU
Julia B. Jacobson
K&L Gates
Richard C. Vershave
Fraser Trebilcock
klgates.com 64
klgates.com 65