Last January, shoe retailer announced that they had been the “victim of a cyber attack by a criminal” who had potentially gained access to the contact information of their 24 million plus customers, in addition to the last four digits of their credit card number and their “cryptographically scrambled” password. The database with credit card data and payment information was not breached.

As one might expect, lawsuits followed. Zappos attempted to force these lawsuits to arbitration, citing a clause in their user agreement. But they ran into a big problem. A federal court ruled that their user agreement – in effect, their contract with users – was invalid. Not just a portion of it, but the whole thing.

I first read about this on the technology and marketing law blog of Eric Goldman. Mr. Goldman is a Professor of Law at Santa Clara University School of Law, teaching Internet Law, Intellectual Property and Advertising and Marketing Law, and directs the school’s High Tech Law Institute.

In his post, Mr. Goldman helpfully broke down the two big missteps that really hurt Zappos in this case.

Agreement Was “Browsewrap”

If you post your user agreement on your website and link to it somewhere on the page, but never require people to actually agree to it by clicking a button, that’s a browsewrap agreement. Hilariously, Mr. Goldman writes that he doesn’t use the term “browsewrap,” instead he refers to those agreements as “not a contract.”

Courts traditionally haven’t thought very highly of browsewrap and neither did the judge in this case.

“The arbitration provision found in the Terms of Use purportedly binds all users of the website by virtue of their browsing. However, the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent. A party cannot assent to terms of which it has no knowledge or constructive notice, and a highly inconspicuous hyperlink buried among a sea of links does not provide such notice. Because Plaintiffs did not assent to the terms, no contract exists, and they cannot be compelled to arbitrate,” wrote District Judge R. James (emphasis mine).

Agreement Included Unilateral Amendment Clause

Zappos’ user agreement included a clause stating that they reserved the right to change the agreement at any time. As Mr. Goldman notes, this sort of language is very common. “Unfortunately, despite its widespread usage, this language is toxic to a contract,” he writes. This is made clear by the judge.

“In any event, even if Plaintiffs could be said to have consented to the terms, the Terms of Use constitutes an illusory contract because it allows Zappos to avoid arbitration by unilaterally changing the Terms at any time, while binding any consumer to mandatory arbitration in Las Vegas, Nevada,” the ruling states. “We therefore decline to enforce the arbitration provision on two grounds: there is no contract, and even if there was, it would be illusory and therefore unenforceable.”

In other words: if Zappos can simply change the contract at any time without notice to or acceptance by the customer, then they can also change it to avoid arbitration when it doesn’t suit them. As such, the contract is “illusory and therefore unenforceable.”

Online Communities Should Learn From This

When I read Mr. Goldman’s article, I couldn’t help but feel that it had direct application to online communities, especially those that attempt to enforce restrictions, through their terms of use, that alter default legal rights that users might otherwise have. He was kind enough to agree to an online community focused interview.

Please note: this is a general discussion about legal topics, not legal advice. You should consult an attorney on matters of this nature and not simply rely on this general exploration of complicated topics.

Patrick O’Keefe: Zappos is an e-commerce site that takes information that allows people to be identified in real life – such as telephone numbers and street addresses – and sensitive information like credit card numbers and financial information. Most online communities require little more than an email address. How relevant do you feel this ruling is to online communities?

Eric Goldman: This ruling didn’t directly address the merits of the lawsuit over Zappos’ data security breach, but every website that gathers personally identifiable information should be concerned about the security of their user data – even if it’s as “minimal” as a database of email addresses. All websites should be following good security protocols: storing personal data in encrypted databases, using https, etc.

However, the real point of the case relates to the way websites form user agreements – something that virtually every online community tries to do. The ruling indicates that websites need to deploy their user agreements in specific ways, and the text of the agreement can’t contain unrestricted amendment rights. Many online communities may not be following these rules, in which case they need to revisit their user agreements as soon as possible.

PO: For well managed online communities, user guidelines are crucial. They are good for management, but they are also good for members because they allow everyone to know what is expected of them. Community managers could simply have no guidelines and just remove posts or ban people as they deem appropriate, but user guidelines provide a level of transparency in the process. It sounds like that transparency might be dangerous, though, in light of this ruling. Do you feel that if these guidelines were deemed “not a contract,” that a community manager’s ability to manage their community – for example, the basic right to block or ban someone from their community, at their own discretion – might be threatened?

1965 Chevelle Malibu
Creative Commons License photo credit: Hugo90

EG: No. Congress enacted a statute, 47 U.S.C. 230, in 1996 to provide user generated content (UGC) site operators with the absolute right to manage their website without liability for their editorial choices. For more on Section 230 and website discretion, see this essay.

Because Section 230 provides UGC websites with the legal protection they need, it’s not crucial that the website’s behavioral restrictions get incorporated into their user agreement. If websites do incorporate behavioral restrictions into their contract, then I have two suggestions. First, keep the list of restrictions short and general. See this article. Second, don’t make any promises that the website won’t keep. Section 230 doesn’t necessarily protect the website from false advertising claims.

Instead of putting long and murky lists of negative behavioral restrictions in user agreements, I recommend that UGC websites create a separate “community norms” document that helps educate community members about desired and unwanted behavior. Users never see the list of restrictions in the user agreement, so the community norms document has a greater chance of being read and actually educating users about appropriate behavior on the site. The community norms document doesn’t necessarily have to be incorporated into the user agreement, although the website might nevertheless “punish” anti-social users for violating community norms. The best thing about the community norms documents is that other users, once educated about the site’s expectations, can help enforce the norms against rogue community members.

PO: In your article, you described how Zappos’ contract with users was thrown out due to their decision to treat their terms of use as “browsewrap” and to include unilateral amendment clauses in the agreement. You prefer a clickthrough agreement, where accepting the agreement is tied to a click being made. Drawing from your example, for an online community, this would mean language similar to “By submitting this post, you agree to the user agreement,” where “user agreement” could be linked to the actual document. Each time someone clicks that button to submit content, they are accepting the current agreement. If you update the agreement, they have not yet accepted it until they have pressed that button after the update.

My question: for this to work correctly, it would seem like you would need to have at least two sets of data. You need to know when the person last posted (which is easy, with any online community software), but you also need to have a copy of every version of your terms of service that you have ever released, along with the date and time span that each one was in use. How important is having that data and are there any other records that you feel would be worth keeping?

EG: It’s true that UGC websites should keep copies of past user agreements along with the dates they were in effect. It’s fairly typical that litigants will dispute which is the “correct” version of a user agreement, and the UGC website needs to be able to prove which version is applicable to the dispute – meaning the details should be recorded meticulously so they can convince the judge of their accuracy. As a practical matter, because of the hassles of amending the user agreement and keeping track of the details, most websites try to minimize the frequency of amendments.

If a UGC website decides to handle user agreement updates by forcing users to click through the new terms, then the ideal way is how you describe it, i.e., each user is tracked and asked to agree to the new terms when they first revisit the site. Another option for UGC websites is to require users to agree to the user agreement each and every time the user posts. That way, the users are always agreeing to the new terms by definition.

PO: How should one decide whether something should go in the community norms document or in the terms of service? Is there a good rule of thumb for that?

EG: I start with the premise that most UGC user agreements say that the site can terminate, suspend or otherwise discipline a user for any reason. If the contract says that, the community norms document might describe appropriate behavior on the site, but those norms don’t need to be in the contract because any user termination or discipline is legally authorized whether or not the behavior was described in the community norms document. In that case, the only user behavioral restrictions that need to be in the contract are provisions that are required to defend the website’s decisions if a user ever challenges them in court.


In considering this situation, and Mr. Goldman’s remarks, there were a few main takeaways I noted. This is my opinion and, once again, not legal advice. You should seek qualified counsel that can speak to your specific needs, if you are looking for advice.

  1. Browsewraps are bad and, if you rely on them, you are simply asking to be defeated. Instead of browsewraps, you should tie agreement with your terms of use to a direct action and ensure it is clearly and plainly displayed. For example, next to the “Submit” button in every area where people can post content, include a line to the effect of, “By submitting this content, you agree to our terms of use,” with “terms of use” linked to the document.
  2. Unilateral amendment clauses are just as bad. While it may sound great to be able to amend your terms at any time, it’s doesn’t sound so great for users. In Mr. Goldman’s article, he mentioned that if you just want to apply a change to your terms of use to users or content posted after the amendment was made, it’s not a big deal. Just have a clickthrough agreement in place and they’ll be bound to the terms of use that are in place at the time they clicked “Submit.”
  3. Document your terms of use and save a copy of each version you release, as well as the time period that each version was in place. If you haven’t done this previously, start doing it now. Better late than never. With a clickthrough agreement like the one outlined above, it is very simple to be able to know which terms of use each user must adhere to, based simply on the time stamp of posts they have made.
  4. Finally, it is important to note the difference between user guidelines (or community norms, as Mr. Goldman put it) and terms of use or a user agreement. The latter one, if you have it, is mainly for things that could reasonably be challenged in court. For example, Zappos wanted to force customers to bring disputes to confidential arbitration in Las Vegas, Nevada. That isn’t how it would have to be handled if the law by default was in place. Their agreement sought to limit legal rights that the customer had. That is the sort of thing that could be challenged in court. Whether or not someone can use profanity, spam or be allowed to participate in your community, those are not legal rights that people are entitled to that you are limiting.

With this information in mind, you should be better informed to ask your attorney the right questions and to protect your community from these issues.

Disclosure: I am a long term shareholder in