Last January, Amazon.com-owned shoe retailer Zappos.com announced that they had been the “victim of a cyber attack by a criminal” who had potentially gained access to the contact information of their 24 million plus customers, in addition to the last four digits of their credit card number and their “cryptographically scrambled” password. The database with credit card data and payment information was not breached.
As one might expect, lawsuits followed. Zappos attempted to force these lawsuits to arbitration, citing a clause in their user agreement. But they ran into a big problem. A federal court ruled that their user agreement – in effect, their contract with users – was invalid. Not just a portion of it, but the whole thing.
I first read about this on the technology and marketing law blog of Eric Goldman. Mr. Goldman is a Professor of Law at Santa Clara University School of Law, teaching Internet Law, Intellectual Property and Advertising and Marketing Law, and directs the school’s High Tech Law Institute.
In his post, Mr. Goldman helpfully broke down the two big missteps that really hurt Zappos in this case.
Agreement Was “Browsewrap”
If you post your user agreement on your website and link to it somewhere on the page, but never require people to actually agree to it by clicking a button, that’s a browsewrap agreement. Hilariously, Mr. Goldman writes that he doesn’t use the term “browsewrap,” instead he refers to those agreements as “not a contract.”
Courts traditionally haven’t thought very highly of browsewrap and neither did the judge in this case.
Agreement Included Unilateral Amendment Clause
Zappos’ user agreement included a clause stating that they reserved the right to change the agreement at any time. As Mr. Goldman notes, this sort of language is very common. “Unfortunately, despite its widespread usage, this language is toxic to a contract,” he writes. This is made clear by the judge.
In other words: if Zappos can simply change the contract at any time without notice to or acceptance by the customer, then they can also change it to avoid arbitration when it doesn’t suit them. As such, the contract is “illusory and therefore unenforceable.”
Online Communities Should Learn From This
Please note: this is a general discussion about legal topics, not legal advice. You should consult an attorney on matters of this nature and not simply rely on this general exploration of complicated topics.
Patrick O’Keefe: Zappos is an e-commerce site that takes information that allows people to be identified in real life – such as telephone numbers and street addresses – and sensitive information like credit card numbers and financial information. Most online communities require little more than an email address. How relevant do you feel this ruling is to online communities?
Eric Goldman: This ruling didn’t directly address the merits of the lawsuit over Zappos’ data security breach, but every website that gathers personally identifiable information should be concerned about the security of their user data – even if it’s as “minimal” as a database of email addresses. All websites should be following good security protocols: storing personal data in encrypted databases, using https, etc.
However, the real point of the case relates to the way websites form user agreements – something that virtually every online community tries to do. The ruling indicates that websites need to deploy their user agreements in specific ways, and the text of the agreement can’t contain unrestricted amendment rights. Many online communities may not be following these rules, in which case they need to revisit their user agreements as soon as possible.
PO: For well managed online communities, user guidelines are crucial. They are good for management, but they are also good for members because they allow everyone to know what is expected of them. Community managers could simply have no guidelines and just remove posts or ban people as they deem appropriate, but user guidelines provide a level of transparency in the process. It sounds like that transparency might be dangerous, though, in light of this ruling. Do you feel that if these guidelines were deemed “not a contract,” that a community manager’s ability to manage their community – for example, the basic right to block or ban someone from their community, at their own discretion – might be threatened?
EG: No. Congress enacted a statute, 47 U.S.C. 230, in 1996 to provide user generated content (UGC) site operators with the absolute right to manage their website without liability for their editorial choices. For more on Section 230 and website discretion, see this essay.
Because Section 230 provides UGC websites with the legal protection they need, it’s not crucial that the website’s behavioral restrictions get incorporated into their user agreement. If websites do incorporate behavioral restrictions into their contract, then I have two suggestions. First, keep the list of restrictions short and general. See this article. Second, don’t make any promises that the website won’t keep. Section 230 doesn’t necessarily protect the website from false advertising claims.
Instead of putting long and murky lists of negative behavioral restrictions in user agreements, I recommend that UGC websites create a separate “community norms” document that helps educate community members about desired and unwanted behavior. Users never see the list of restrictions in the user agreement, so the community norms document has a greater chance of being read and actually educating users about appropriate behavior on the site. The community norms document doesn’t necessarily have to be incorporated into the user agreement, although the website might nevertheless “punish” anti-social users for violating community norms. The best thing about the community norms documents is that other users, once educated about the site’s expectations, can help enforce the norms against rogue community members.
My question: for this to work correctly, it would seem like you would need to have at least two sets of data. You need to know when the person last posted (which is easy, with any online community software), but you also need to have a copy of every version of your terms of service that you have ever released, along with the date and time span that each one was in use. How important is having that data and are there any other records that you feel would be worth keeping?
EG: It’s true that UGC websites should keep copies of past user agreements along with the dates they were in effect. It’s fairly typical that litigants will dispute which is the “correct” version of a user agreement, and the UGC website needs to be able to prove which version is applicable to the dispute – meaning the details should be recorded meticulously so they can convince the judge of their accuracy. As a practical matter, because of the hassles of amending the user agreement and keeping track of the details, most websites try to minimize the frequency of amendments.
If a UGC website decides to handle user agreement updates by forcing users to click through the new terms, then the ideal way is how you describe it, i.e., each user is tracked and asked to agree to the new terms when they first revisit the site. Another option for UGC websites is to require users to agree to the user agreement each and every time the user posts. That way, the users are always agreeing to the new terms by definition.
PO: How should one decide whether something should go in the community norms document or in the terms of service? Is there a good rule of thumb for that?
EG: I start with the premise that most UGC user agreements say that the site can terminate, suspend or otherwise discipline a user for any reason. If the contract says that, the community norms document might describe appropriate behavior on the site, but those norms don’t need to be in the contract because any user termination or discipline is legally authorized whether or not the behavior was described in the community norms document. In that case, the only user behavioral restrictions that need to be in the contract are provisions that are required to defend the website’s decisions if a user ever challenges them in court.
In considering this situation, and Mr. Goldman’s remarks, there were a few main takeaways I noted. This is my opinion and, once again, not legal advice. You should seek qualified counsel that can speak to your specific needs, if you are looking for advice.
With this information in mind, you should be better informed to ask your attorney the right questions and to protect your community from these issues.
Disclosure: I am a long term shareholder in Amazon.com.