Regulatory Issues for Your Company’s Website

Whether your company’s website is just a facet of your business, or is the whole point behind your business, your company should be aware of a number of laws and regulations surrounding website, and make sure that your company and website are compliant with them.

DMCA — The Digital Millennium Copyright Act, which was implemented to amend copyright law in response to the growth of the internet. The DMCA can be particularly important for operators of websites that feature user-created content, since users can (knowingly or unknowingly) include copyrighted material in their submissions (website operators are especially on the hook, given that the DMCA’s main innovation was to exempt internet service providers from liability for copyright infringement that occurs through their service). Accordingly, you should make sure that your website has a DMCA takedown policy (typically published as part of the Terms of Service/Use), in which copyright holders can notify you if they believe their material is on your website and permit you to take it down.

COPPA — The Children’s Online Privacy and Protection Act imposes regulations and requirements on operators of websites that are directed at children under the age of 13 (or where the operators have actual knowledge that their website is used by children under the age of 13). Specifically, COPPA requires applicable websites to obtain verifiable parental consent before collecting personal information (even including a name or an email) from children users. COPPA also prohibits applicable websites from presenting advertising for “adult” products, such as alcohol or tobacco.

ADA — The Department of Justice has been working on rules for applying the ADA, or Americans with Disabilities Act, to websites that are subject to the ADA. However, the DOJ has recently reversed its position that websites wouldn’t be subject to the ADA until final rule making is complete, bringing enforcement actions against websites for universities, museums, county courts, and grocery delivery services. Moreover, the DOJ has stated that websites must be accessible to the general public, not just to the actual users of the website. If your company’s website is where your company actually engages in commerce (i.e. where you sell your product; the website itself is your company’s product), then you may want to consider adopting the Web Content Accessibility Guidelines. 

Enforcing Your TOS — Finally, it is important for website operators to remember that their Terms of Service are the contract between them and their users. That being the case, you don’t want to end up like one of the many “browserwrap” cases that have been making headlines over the past few years. Many websites that have tried to enforce their ToS against violating users have had those ToS invalidated by the courts on the basis that the website could not demonstrate that the user affirmatively assented to the to the ToS. As a result, it’s not enough to say that mere use of a website constitutes a user’s acceptance of the ToS. Instead, best practices seem to dictate that users should be presented with the actual text of the ToS, and be required to click an “I accept” or similar button; the website should also have a mechanism for recording the user’s consent.

Implementing and Enforcing Website Terms of Service

Any website or mobile app operator should have “terms of use”, “terms of service”, or “terms and conditions” that govern users’ use of the website or app. However, this document is effectively the contract between you, the operator, and the user, governing your relationship over the use of the website or app. As a result, it is imperative that website or app operators ensure that their users have affirmatively accepted the terms of service before use.

The worst thing an operator can do in attempting to enforce terms is attempting to have mere use of the website or app constitute acceptance of the terms, even if users are provided a link to the terms to read. Instead, best practices dictate, when having users “agree” to use the website or app, such as upon user account creation or on a purchase page for e-commerce websites and apps, conspicuously posting the full text of the terms (including any privacy policy) for users to read, before having to click a box or button that says “I accept” the terms. The best acceptance pages actually require users to scroll through the entire terms before being able to check or click an accept button or box. However, where presenting the full terms may be impractical, such as on a mobile page, it is acceptable to have a link to the terms in lieu of the full text, provided that it is made clear to the user that the link connects to the full terms and that clicking or checking “I accept” indicates acceptance of those terms.

However, once a user has affirmatively accepted terms, it is important for website/app operators to keep a record of that acceptance. Courts have recently refused to enforce terms against users where operators have been unable to produce evidence that the user ever accepted the terms. While it has been possible to demonstrate acceptance by proving that use of the site could not have occurred without acceptance of the terms, it can be difficult to prove what terms were in effect at the time of the relevant use. Some operators have taken to sending users email confirmation of their acceptance of the terms, either as a separate email or as part of an account registration or purchase confirmation email, and then archiving said emails as proof of acceptance.

Finally, it is important to ensure that terms remain enforceable once they are changed. It is not practical to have the operator have the unilateral right to change the terms without any action by the user since the terms are a contract, which cannot be amended without mutual agreement. Ideally, anytime an operator changes its terms, it would have users go through the same acceptance process as when the user initially accepted the terms. However, operators are understandably wary of making the user experience too cumbersome by having users go through an agreement page anytime they wish to use the website or app anytime terms are updated. Courts have permitted unilateral changes to terms, provided that the operator gives the user sufficiently advance, conspicuous notice. Such notice should be conspicuously posted on a user’s account page or the main website/app, or emailed/messaged to the user’s address or account. The notice should also inform users that continued use of the website/app after updated terms go into effect will constitute acceptance of the modified terms.

The Different Kinds of Contracts

This article isn’t going to talk about “different kinds of contracts” in the sense of sales contracts vs. employment contracts vs. real estate contracts. Instead, I’ll be talking about express, implied, and quasi-contracts.

Express contracts are the contracts that parties affirmatively intend to enter into. When you go to buy a car, you sign a contract that is an agreement to purchase the vehicle, so that you and the dealer enter into an express contract for the purchase and sale of the car. But not all express contracts need be written. Oral contracts, generally speaking, are just as effective a form of express contract as printing out a written agreement and signing on the dotted line. If I stop by your house and offer to paint it for $1000, and you agree to have me paint it for $1000, we have entered into an express oral contract.  

However, while oral contracts are generally equally as enforceable as written contracts, there are certain types of agreements that must have a signed writing in order to be enforceable — no oral contracts. This doctrine is known as the “statute of frauds”; although the exact list of agreements that must have a signed writing may vary from state to state, the types of contracts that are typically covered by the statue of frauds include contracts for the sale and purchase of an interest in real estate, contracts for the sale of goods over $500, and contracts that are intended to definitely last longer than one year (if the contract is of indefinite duration or it is not definite that the contract will last longer than a year, this “one year rule” may not apply).

The next kind of contract is the implied contract. Implied contracts arise from the conduct of two or more parties that demonstrates that they intend to be bound by some sort of agreement, although no express written or oral agreement exists. For example, let’s say I come by your house and mow your lawn, and you pay me $50. I then keep coming back every two weeks to mow again, and you keep paying me $50 each time. As a result, we may have an implied contract for me to mow your lawn every 2 weeks for $50 every time I mow. Implied contracts are just as enforceable as express contracts, although it is often more difficult to discern the terms of an implied contract since they arise from the parties’ conduct, rather than having express terms written or spoken between the parties.

The final kind of contract technically isn’t a contract at all. It is a legal doctrine known as a “quasi-contract”, and is a form of equitable relief used by courts to avoid unjust enrichment by a party, when that party has something of value conferred upon them by another party in the absence of an express or implied contract.

Accept Credit Cards? Make Sure You Know of New Liability Rules

Beginning October 1, EuroPay, Visa, and MasterCard are adopting new rules related to the adoption of chip-and-pin technology in credit cards. The chip-and-pin technology is intended to replace traditional magnetic strip credit cards and the swipe-and-sign process; chip-and-pin technology is reputed to reduce the risk of credit card fraud at point-of-sale systems to nearly zero.

Currently, the credit card issuer bears liability in the event a credit card is used fraudulently at an in-store merchant. Under the new rules coming into effect next month, liability will shift to the party — either the issuer or the merchant — that has not adopted chip-and-pin technology. For businesses that accept credit cards for sales, where a chip-and-pin credit card is used in-store and the merchant has not installed a chip-and-pin point-of-sale reader (i.e., the store is still using magnetic strip swipe readers), liability for fraudulent card use falls on the merchant. If the merchant is using a chip-and-pin reader, the card issuers will continue to assume liability for fraudulent use. Additionally, where an old magnetic strip credit card is used with a merchant still using older magnetic strip readers, card issuers will continue to retain liability, though issuers will have likely phased out all old-style credit cards as they expire in the coming few years.

The liability shift does not apply to card-not-present transactions (such as online transactions or where the merchant keys in the credit card information), or fraud resulting from a lost or stolen card. The liability shift also does not occur for fuel pump or ATM transactions until October 2017. For businesses who accept credit cards for in-person transactions that do not yet have chip-and-pin processing hardware, you should be contacting your payment processor to inquire about how you can obtain up-to-date card processors.

Can I Use an E-Signature?

With the march towards an increasingly digital world, more and more companies are beginning to adopt the use of e-signatures. Traditionally, a signature included not just the writing of one’s name, but the making of any mark or symbol with the intention to adopt or accept a written agreement.

Congress passed the Electronic Signatures in Global and National Commerce Act (E-Sign Act) in order to ensure the enforceability of electronically signed contracts. The E-Sign Act defines an electronic signature as “a sound, symbol, or process…attached to or logically associated with an electronic record…made with the intent to sign the electronic record.” Therefore, under the E-Sign Act, the attachment of a digital image of one’s signature, the typing of one’s name at the end of an electronic agreement, or even clicking “I Accept” at the end of said agreement constitutes an electronic signature.

Although under the E-Sign Act a contract cannot be denied legal effect just because an electronic signature was used, the E-Sign Act also provides exceptions for certain types of agreements where electronic signatures cannot be used. First, the E-Sign Act does not require a party to agree to use or accept an electronic signature, so a party can require a handwritten signature as a condition of acceptance.

Moreover, the E-Sign Act excepts several kinds of contracts and documents from its application, including:

– Documents related to the creation and execution of wills, codicils, and trusts

– Documents related to adoption, divorce, and other family law matters

– Documents governed by the Uniform Commercial Code (except those covered by the articles governing sales and leases of goods)

– Court orders or notices, or official court documents (such as briefs and pleadings)

– Cancellation or termination notices for utility services, health insurance, or life insurance

– Notices of default, acceleration, repossession, foreclosure, or eviction, or the right to cure, under a mortgage or rental agreement for a primary residence

– Documents required to accompany the transportation or handling of hazardous or toxic materials

Finally, the E-Sign Act permits electronic retention of contracts and documents, as long as the electronic record “accurately reflects the information” in the contract and the record can be later accessed and accurately reproduced.