Category Archives: Privacy Policy

Implementing Terms of Service and Other Electronic Agreements

All too frequently, Terms of Service, Terms of Use and End User License Agreements (see our post on the differences between each) are found unenforceable when challenged in court because the agreements are not properly implemented.

To simply describe the implementation process (see our post on the technical aspects):

  1.  Present the agreement to the user; then
  2.  Require the user to affirmatively agree, usually through a click, to the agreement.

In the web context, implementation typically looks like this:

[Check box] I agree to the Startup Company Terms and Conditions (linked to the terms and Conditions)

[Continue] (or similar language, such as “Purchase” etc.)

In the above implementation approach, the user cannot proceed unless they check the box and click the button at the bottom of the page.

In the mobile context, implementation is more challenging given the need to balance legal implementation and user experience.  While the above approach can work, it may not be ideal from a UI/UX perspective.

One mobile approach is to present the agreement to the user, require that they scroll through the agreement and, once scrolled through, the user is presented with the following button at the bottom of the page:

[I agree] to the Terms and Conditions.

Given the differences between each mobile application, agreement implementation on mobile takes many forms and the above approach may not work for you.

Spending the time to determine the most effective way to implement your electronic agreements is vital as the agreements are worthless if found to be unenforceable.

How to Implement Electronic Signatures

Online agreements require an electronic form of your signature, whether you click “I agree” or use a digital version of your offline signature.  Electronic signature laws in the U.S. and Canada do not address the correct signature format.  Instead, these laws focus on the correct process for creating an enforceable signature.

Three key considerations guide the electronic signature process:

1.  Identification

How do you identify the signatory?  In the case of a prospective user agreeing to a Terms of Service, identification may come in the form of an email address, first and last name and IP address.  Given the impersonal nature of online agreements, the identification challenge is establishing that signatory is, in fact, the signatory.

2.  Intention

How do you establish intention to sign?  Intention could be established through a digital version of your offline signature applied to a document or a user clicking “I agree.”  Ultimately, the user must understand what they are agreeing to and that they are, in fact, agreeing.  For example, placing the “I agree” button after the agreement provides the user an opportunity to understand the agreement before being asked to agree to it.

3. Integrity

How are electronic signature records retained to ensure originality and ease of production? Integrity may be established through a fixed user acceptance process whereby any user, in order to access a website, was required to accept certain terms.  Alternatively, in the case of a more traditional signed agreement, the agreement copy was retained in a locked file format, with date and time of signature logged.  In both cases, establish an electronic audit trail.

While there is no correct type of online signature, there is a correct process for online signatures that should be considered whenever an online agreement is required.

Balancing Growth with Legal Compliance

Frequently, large technology companies face lawsuits in foreign courts over their failure to comply with foreign laws, primarily those concerning privacy, sales and consumer rights.  In Germany, WhatsApp’s Terms of Service violated consumer protection laws; in Canada, Facebook is challenging the application of Canadian privacy law; and in Australia, Valve’s no return policy allegedly violates consumer protection laws.  As your startup grows, users may come from major markets across the world and create a challenge – how to balance growth with legal compliance?

Governing law clauses (X law applies and X courts have jurisdiction) are frequently unable to prevent the application of foreign laws to your company – just ask WhatsApp, Facebook or Valve.  Therein, to comply with the laws of only one market naturally leaves your startup exposed to legal liability for non-compliance in other markets.  While I suggest considering compliance with the law of each market in which you gain traction, I also recognize that cost concerns and a startup’s focus on growth strategies means that compliance is always on the back burner.

When balancing growth with legal compliance, consider:

1.  Size of your company in each market:  the larger your company is in a market, the more likely the laws of that market will be asserted against you.

2.  General size of your company:  the larger (and wealthier) your company is, the more likely the laws of foreign markets will be asserted against you.

3.  Potential liability:  How large is your company’s exposure to liability for non-compliance in each market?  How comfortable is the company with this exposure?

4.  PR:  Does non-compliance create a substantial chance for bad PR in that market?

Small startups (and large technology companies) frequently focus on growth over legal compliance.  Indeed, at the start of your company, potential liability is low as the company is flying under the radar – here, focusing on growth makes sense.  Once you company grows, legal compliance should be weighed and constantly reevaluated as laws, and your company, change.

FTC Beats Snapchat – Important Privacy Policy Lessons

I often stress the need to keep your Privacy Policy up-to-date; case in point, Snapchat’s settlement with the U.S. Federal Trade Commission.  In the action, the FTC found that Snapchat deceived users with incorrect claims about privacy and misrepresented its data collection practices.  Ultimately, the FTC subjected Snapchat to 20 years of independent privacy monitoring.

A few key lessons:

1.  Don’t misrepresent.  All representations about your software must be accurate, especially those concerning privacy.  If you don’t secure the app using X methods, don’t say that it is secured that way!  As the FTC states, “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

2.  Keep the Privacy Policy up-to-date.  The development team should keep track of all information collected by the software and loop the legal team in whenever a new feature or element is added.  Often misrepresentations result from outdated privacy policies that do not keep pace with software development.  Further, if marketing wants to make claims about software privacy, make sure to run the claims by the legal team first – best not to make public claims that conflict with the privacy policy.

3.  If you have information, act!  If users point out securities flaws with your software, seriously consider them and document action taken in response.  In Snapchat’s case, numerous users pointed out security flaws that were disregarded and such conduct certainly factored into the FTC’s decision.