Almost every business has an online presence of some form. Many have a website which serves as anything from an online company brochure to a fully-featured online store or customer/vendor/user portal. Some have apps available through Google Play Store, the Apple App Store, or other app stores. A number of companies spend significant sums on their websites and apps to design robust features and content delivered through a compelling user experience. But if there’s one place website and app operators miss the mark, it’s ensuring the right legal disclosures are in place, and that the ones that are in place are saying the right things.
When most people think of a website or app disclosure, they think of a privacy policy and terms of use. These are definitely important. However, There are a number of other disclosures required or recommended under federal and state law that companies should consider to manage risk and avoid potentially distracting and costly litigation. At the same time, saying too much in disclosures such as your privacy policy can expose your company to unnecessary risk.
There are four core rules that should apply to all website disclosures:
- Write them in plain English.
- Avoid using undefined technical jargon and using marketing bluster.
- Make them easy to understand and use.
- Make them 100% accurate and truthful.
Consider having your company’s User Experience group review your disclosures and policies to ensure they are as easy to read and navigate as possible. Consider using design elements such as progressive reduction and progressive disclosure (you can see my earlier blog post on this topic by clicking here.) The goal is to ensure consumers easily understand your disclosures. If you ever have an issue with a term or provision in your disclosures, being able to argue that the content and design were optimized for easy reading and navigation can pay dividends.
Here are some website and app disclosures to consider:
- The Privacy Policy. States such as California have laws requiring companies to have online privacy policy. Since almost every website is accessed by users in California, it’s safe to say you are legally required by state law to have a privacy policy. Companies in certain industries or sectors such as in the healthcare sector (HIPAA) and financial sector (Gramm-Leach-Bliley) have specific requirements for their privacy policies. A privacy policy is also required by law in some states on an information category basis, such as Connecticut’s requirement that anyone collecting Social Security Numbers have a publicly displayed privacy policy with certain required disclosures. Certain laws also mandate that you cover certain topics in your privacy policy (e.g., California’s requirement to disclose how you handle “do-not-track” headers, and California’s requirement to provide information on how minors who are your registered website users can request that you remove their personal information). Don’t forget that your privacy policy needs to apply to, and be displayed on, your company’s apps as well.
A company’s privacy policy obligations can be summarized simply: say what you do, and do what you say. “Say what you do” means ensure your privacy policy fully describes how you collect, use, and share information (both personally identifiable information, such as your name and address, and non-personally identifiable information such as behavioral data) collected from or about your customers. “Do what you say” means ensuring your day-to-day business activities with respect to information collected from consumers falls within the boundaries of what you say you do in your privacy policy. Two important rules to follow are, (1) if you want to change how you collect, use or share information from consumers, make sure your privacy policy allows it first, and give prior notice to website users that your privacy policy is changing; and (2) if you want to change how you use information you’ve already collected from consumers, you’ll need permission from the consumers first. Always include an effective date on your privacy policy (again, a state law requirement).
Look for a more detailed post on privacy policies coming soon.
- Terms of Use/Terms of Service. Your terms of use (sometimes also referred to as “terms of service”) should describe the rights and obligations applicable to both your company’s website/app/online service users and to your company itself with respect to the operation and/or use of an online website, app, and/or online service. It should cover topics such as ownership of the website and company-provided content on it (including your copyrights, trademarks and licensed trademarks), and associated restrictions (e.g., no screen scraping website content); disclaimers of third party content, such as third party ad networks on your site, and language to prevent use of your company’s trademarks other content to create the appearance of sponsorship by or affiliation with a third party; whether or not you collect information from children under 13 (if you do, ensure you are complying with the Children’s Online Privacy Protection Act or “COPPA”); an obligation to report lost or stolen passwords and change passwords regularly; what you can do with user-generated content uploaded or shared to the website (e.g., a broad right and license to use it), and related terms (e.g., it’s provided royalty-free and with no license costs, that it doesn’t infringe anyone else’s rights, etc.); a feedback provision if users may provide feedback or comments; links to third party content; and important legal terms such as jurisdiction, choice of law, indemnification, and the like. Many website operators include an acceptable use policy as part of their Terms of Use/Terms of Service; some have a separate policy on their website.
- DMCA Notice. If your website collects, displays, or otherwise uses or shares user-generated content, consider a copyright notice (also called a “DMCA notice”). The Digital Millennium Copyright Act creates a “safe harbor” from copyright infringement for websites operators who honor takedown requests and display on their website information for their designated “copyright agent” to which takedown requests can be sent. There’s more to the statute than that, so if you need a DMCA notice please review one of the multitude of articles out then on crafting a proper DMCA notice. Don’t forget that you need to register your designated copyright agent with the US Copyright Office by filing a “Designation of Copyright Agent” form.
- California “Shine the Light” Notice. In 2005, California enacted the “Shine the Light” law as part of its Consumer Records Act. The law requires businesses to provide disclosures to California consumers of the types of customer information they share with third parties for the third party’s direct marketing purposes during the immediately preceding calendar year. If your business shares collected personal information with third parties for the third party’s direct marketing purposes and does business in California, with a few exceptions this law applies to you. Businesses are required to let customers know how to submit requests for this information. While there are a few options, the simplest for most businesses is to include a link on the company’s homepage to “Your California Privacy Rights” or “Your Privacy Rights” to a page describing customer’s rights under the “Shine the Light” law and the email/physical address to which requests should be sent. There has been an uptick in class action litigation recently against companies which do not have a “Shine the Light” disclosure on their website.
- Terms of Sale. If you sell products through your website, consider using a Terms of Sale to govern the sales transaction. Terms of Sale typically include provisions such as placing an order; when it is accepted by the company; delivery and fulfillment terms; the return/cancellation policy; information on prices (e.g., subject to change without notice, not required to honor incorrect pricing); license rights to software; etc.
- Warranties. One policy you may want to consider adding to your website are product warranties. Last year Congress passed, and President Obama signed, the E-Warranty Act of 2015. This law amended the 1975 Magnuson-Moss Warranty Act to allow companies to put their warranties online instead of including them on or in product packaging. The product documentation or packaging would need to include a link to the online warranty, instead of the warranty terms themselves. Companies that sell products that come with warranties should consider reviewing and taking advantage of the E-Warranty Act.
- Supply Chains Notice. In 2010, California enacted the Transparency in Supply Chains Act. The law requires large retailers doing business in California (over $100 million in annual revenue identifying itself as a retail seller or manufacturer on their CA tax return) to post disclosures on their websites on their “efforts to eradicate slavery and human trafficking from their [direct] supply chain for tangible goods offered for sale” in five specific areas: verification, audits, certification, internal accountability, and training. It requires the disclosures be accessible through the company’s homepage via a “conspicuous and easily understood” link.
- Be careful your disclosures aren’t saying too much. While having the right disclosures for your websites and apps is important, avoid saying too much. Remember, when it comes to disclosures, what you say can hurt you. Website disclosures are not the place for marketing puffery. If you make a statement such as “100% guaranteed,” “we encrypt all data,” or “we use best-in-the-industry [whatever],” and it turns out to be false or inaccurate, you can expect state AGs and the FTC (and class action counsel) may come knocking. Generally, one of the roles of the Federal Trade Commission is to ensure that companies are not engaging in unfair or deceptive trade practices. This extends to ensuring that companies are making accurate and truthful disclosures on their websites. Some states, such as Pennsylvania, have expressly included false and misleading privacy policy statements as a deceptive or fraudulent business practice.
- At the extreme end of this, consider what has been happening in New Jersey. Class action counsel have been using an extremely broad interpretation of NJ’s largely-ignored-until-recently Truth in Consumer Contract, Warranty and Notice Act to go after companies operating business-to-consumer (B2C) websites. The law prohibits sellers from providing notices, terms, or contracts with provisions that violate “any clearly established legal right of a consumer or responsibility of a seller” under federal or state law (whether or not the consumer is happy with the purchase). Class action counsel are bringing suit under this statute stating that just displaying a website notice with a general limitation of liability, broad disclaimers of warranty, statements that certain terms such as warranty disclaimers may not apply to particular consumers without specifying whether NJ consumers are affected, or other limitations on a consumer’s rights is a violation of the statute. Most of these cases are settling before trial, but like other nuisance lawsuits they can end up costing your business considerable time and lost productivity if you end up facing one.
Most companies place their website disclosures at the bottom of the page in a footer. Do not bury them or make them hard to find. Your policies should be accessible through no more than 2-3 clicks via a logical navigation path. While putting your disclosures in the footer makes sense and is very common, consumers may argue that they simply never saw the disclosures because they never scrolled down to the bottom. Consider also making website disclosures “contextual,” i.e., place policy and disclosure links in close proximity to the related usage. For example, on pages where you are actively collecting information, consider putting a link to the privacy policy right next to the “submit” button, or before a consumer places an order on your e-commerce website, add language verifying they have read and agree to your terms of sale and privacy policy. Consider providing a welcome message, with notice of your privacy policy and terms of use, to consumers visiting your website as a disappearing pop-up, e.g., one that appears for 3-4 seconds at the top of the webpage then fades out, similar to “cookie disclosures” on many EU-based websites.
Finally, consider working with IT to create simple shortcuts for your most common policies (e.g., “privacy.company.com” or “www.company.com/privacy” for your privacy policy) so you have a short and simple URL you can use where you need to direct consumers to your online disclosures.