Summary: Online advertising has been self-regulated for some time but the FTC has made it clear that it is not happy with the resulting dense legalese of TOU’s and privacy policies. They set forth new guidelines that they expect publishers to use during the next year–at which time the FTC will consider new legislation. (Please note: Various ad industry associations offered their response, which is discussed in the post below at digitaldumonde.wordpress.com/2009/07/23/new-ideas-for-online-data-collection-use-the-industry-responds-to-the-ftc/.)
Although the guidelines are only just that–guidelines–they should “guide” your revisions to your TOU’s and your privacy policy. Here is a quick summary.
I. Introduction.
The staff of the United States Federal Trade Commission (FTC) recently released a report (February 12, 2009) that will directly affect the documents governing the relationship between an online content provider and viewers/consumers-Terms of Use (TOUs), End-User License Agreements (EULAs) and Privacy Policies. The report also suggests implications for the use of private information. Please email us atjcrext@globalcaplaw.com and a copy of the report will be sent to you, or you can find it on the site of the FTC.
The report sets forth principles for self-regulation for the online advertising industry relating to online “behavioral advertising.” (The report defines behavioral advertising, which is set forth below under “Definition”). Technically, it is a supplemental report, but it has the effect of finalizing the December 2007 draft “Self-Regulatory Principles for Online Behavioral Advertising.”
It should be emphasized that these are principles for self-regulation for the online advertising industry. Arguably, this means that they are not binding, and, indeed, the report makes that clear. However (and this is an important caveat), the principles will definitely guide the enforcement actions instituted by the FTC. Moreover, it seems that the FTC is pre-disposed to initiate legislation in this area, which will probably codify much of what is found in these principles. And states often look to such reports for guidance on their legislation on privacy.
In reading the footnotes, another point emerges from the report. The FTC staff appears to believe that those who draft TOUs and privacy policies have not been keeping a close eye on the enforcement actions and decisions that the FTC staff believes to be relevant-and these include decisions that do not involve online matters but do involve clear disclosure for consumers. In fact, the report footnotes include quotes from FTC commissioners that can be summed up as the following rule:
Policies that bury relevant information and choices for consumers in legalese will do so at the peril of the publisher.
(Please note that the above rule is our language and not that of the FTC or its staff.)
II. So What?
1. Clean up These Documents. Dense legalese will probably not “pass muster” with the FTC. They are keeping a close eye on this area.
2. Consumers’ Choices Must Be Clear. Just as dense legalese is for the FTC tantamount to unacceptable (and often illegal) “fine print,” obscuring consumers’ choices is frowned upon. In particular, the report mentions “check boxes” that are already checked–something frowned upon in the report.
3. Certain Changes to Terms Must Be Affirmatively Accepted. Any material changes or “retroactive” changes (i.e., affecting policies on data already collected) must be affirmatively accepted by the site users. Prospective changes do not (yet) need such approval but it is pretty clear that the staff leans in that direction. This possibly means that the common technique of saying “Use of this site means acceptance of the terms” together with the “warning” that changes can be made at any time will not be acceptable by the FTC.
4. The PII/non-PII Distinction is Diminishing. The US approach has been to try to protect “personally identifiable information” at a higher level than that which is not personally identifiable. This differs from the European model. Now, the FTC is moving towards the European model and this is understandable. The staff understands that PII can often be gleaned from non-PII, which makes the distinction too porous. In particular, the report wishes to increase the protection of data that can identify an individual machine (PC, mobile phone, etc.), while the earlier approach was to preclude identification of an individual user.
5. Self Regulation is a Testbed and is on Probation. The FTC simply sidestepped resolving many issues, leaving it to the “industry” to try various methods. However, one can infer that “industry” has about a year before the FTC moves towards legislation.
III. The Report.
We have not included the entire (50+ page) Report, but we have quoted almost the entire conclusion, which summarizes the final version of the “Principles” of self-regulation. The numbering is directly from the Report:
A. Definition
For purposes of the Principles, online behavioral advertising means the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests. This definition is not intended to include “first party” advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or single search query.
B. Principles
1. Transparency and Consumer Control
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
2. Reasonable Security, and Limited Data Retention, for Consumer Data
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
3. Affirmative Express Consent for Material Changes to Existing Privacy Promises
As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising
Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
Summary: You might not have read it here first but you have read it here often: Courts are taking on—and deciding against—what they consider to be unfair terms in EULAs or TOUs. In this case, it was the federal district court for Northern Texas, finding that the arbitration clause was illusory. It is important to note that this case, in our opinion, does not stand alone but adds more case law attacking the terms of these online agreements. These cases are—and in particular this case is—consistent with one of the principal points central to the new FTC staff guidelines. The message: Complicated TOUs put the client at greater risk.
In Harris v. Blockbuster, the court for the Northern District of Texas held that the arbitration provision of the online agreement for the use of Blockbuster was illusory. Dicta suggest even broader implications for the decision, but that alone was enough to cause some concern (we do not yet know if there will be an appeal, though it is probable).
As far as the court was concerned the main problem with Blockbuster’s online agreement was sort of a double-whammy. The agreement stated that Blockbuster could change the provisions at any time—which would, of course, mean that changes with retroactive effect would, in the opinion of Blockbuster, be enforceable. In this case, some disputes arose and Blockbuster then added an arbitration provision, which was to apply retroactively and thus eliminate much of the risk (from a trial).
So What?
So, online agreements (what we call EULAs and TOUs) with retroactive changes inserting (or affecting) arbitration provisions will run afoul of this opinion—of course, in that district. Moreover, the opinion carries some weight with other claims about online agreements. Many online agreements—perhaps a majority, perhaps many more—have such provisions enabling the publisher (in this case Blockbuster) the right to make retroactive changes to the terms. Suddenly, then (if you believe in Chicken Little), these provisions are at risk.
Ammunition & Guidance. Really, though, the opinion builds on a string of previous opinions that, taken together, provide both substantial ammunition for plaintiffs’ assaults on these agreements and, if you think about it, guidance on what to include—and exclude—from online agreements.
It is not necessarily a bad thing. The FTC staff report gives pretty clear guidance on what can be done: If a party wants a right to changes, then they should not be retroactive and the user must have some kind of right to agree (or not) to those changes going forward.
This is not some rogue court. The cases cited include some in the Fifth Circuit and some in Texas itself. With some serious contortions and impressive legal reasoning, one could distinguish this case from the facts and holdings of those precedents. But it is not so simple.
In just the last several years, quite a few courts have taken on the online agreements. They include courts in the Ninth Circuit and in Pennsylvania. The reasoning can be distinguished but not here. They all come to a smell test: Does this really smell like a contract?
These cases fall within an even longer line of opinions regarding the nature of agreements between corporations and consumers. As the FTC staff report pointed out (with copious footnotes), “fine print” cases have a long history. And it is a history where the “victor” has swung from the consumer to corporations and back. Now, with the new administration, with the FTC’s stiffer attitude about consumer rights (rightly or wrongly), and with these cases, we can expect history’s pendulum to swing the other way.
Conclusion
Write “Gooder.” These agreements do not have to be so dense and they do not have to have such onerous terms. The right of retroactive modification was a term just waiting to be shot down. Too often, lawyers just copy and paste a TOU from another site. Or, perhaps they have to justify their legal fees on a topic that is perceived by clients as unimportant boilerplate. Whatever the reason, this case should be a shot across the bow that attorneys put their clients at greater risk with such legal intricacies as we now see in EULAs.
Perhaps we’ll get some online agreements that are actually well-drafted; that do not read like fine print; and that provide better terms. But then, we believe in the Easter Bunny, too.
Summary: In an opinion arising from a hearing for a preliminary injunction, a US district court in California rejected a contractual term and concluded that the plaintiff failed to demonstrate irreparable harm–and, with a bit of an indirect warning: Contract terms do not limit the authority or role of courts. In the case of preliminary injunctions, the court makes the findings. And, they also pointed out that this is not new law. (However, we think that this is one of the first cases on TOUs–or EULAs.) We recently wrote about the FTC and EULAs/TOUs. Might become a more important topic–given that hundreds of millions of people are bound by them.
Call it the Inspection Management decision (it has not yet been named), but a software company sought a preliminary injunction against a competitor that had created an account, and contrary to the End User License Agreement (the EULA or a TOU), let others use his login, etc. The plaintiff went after the defendant on the basis of a breach of the EULA and, in particular, the “Equitable Relief” provision. This said:
“You agree that the information being provided by IMS,Inc. is confidential and derives its value, in part, from its confidential nonpublic nature. You further agree that in the event you breach this agreement, IMS,Inc., will suffer irreparable harm.”
This provision can be found in just about every EULA, every license and a very large portion of agreements. Well, what the court first cared about was that the plaintiff failed in it evidentiary burden about irreparable harm.
That alone would have been sufficient to decide this case. Then, they noted that the plaintiff relied on the contract language quoted above, which they considered just about “settled law.” That lineage of cases was prominent in the decision. Here is what they said:
Plaintiff cannot rely on the contractual provisions of the EULA to show irreparable harm. Instead, the court must make an independent determination of whether such harm is present. As the Second Circuit stated in Baker’s Aid. v. Hussmann Foodservice Co., 830 F.2d 13, 16 (2d Cir. 1987), “contractual language declaring money damages inadequate in the event of a breach does not control the question of whether preliminary injunctive relief is appropriate.” The Tenth Circuit expounded on this principle in Dominion Video Satellite, Inc. v. Echostar Satellite Corp.,supra.
So What?
So why did the court go farther than they had to? Obviously we do not know what the court thinks, but we do think the opinion has these ramifications.
- Courts do not like their authority or specified role limited, whether by contract or by legislation. Provisions that can be interpreted on their face to do so might be unfavorably scrutinized.
- Courts have not rendered many opinions on EULAs and this was an opportunity. As the saying goes “Watch this space.”
- Some courts in California are not really thrilled with the level of drafting in agreements. This provision is clearly treated as “boilerplate” when agreements are drafted.
So we are forewarned.
