©2015. Published in Landslide, Vol. 7, No. 4, March/April 2015, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.
Most websites have a series of hyperlinks at the bottom of the page. These hyperlinks will typically direct you to what purport to be the contracts between the person browsing the website and the owner of the website. Much to the chagrin of us lawyers who spend a good deal of time drafting these contracts, most visitors never read these terms, and most consumers blindly click-through terms and conditions online.
GameStation, a chain of U.K.-based retail stores, famously inserted an “immortal soul clause” into their online terms and conditions.1 Over 7,500 customers agreed to give GameStation “a non-transferable option to claim, for now and for ever more, your immortal soul.” While contracts purchasing souls are generally unenforceable for a host of reasons, whether online click-through contracts are enforceable depends on a number of factual variables. The issues also get trickier when kids are browsing or playing browser-based games online.
Clickwrap, Browsewrap, and Hybrid Agreements
Internet-based contracts are governed by the same old-fashioned principles of pen-and-ink contract law. As one court stated, “A contract is no less a contract simply because it is entered into via a computer.”2 Mutual agreement is necessary to form a valid contract.3 The types of online agreements that require no outward manifestation of consent are known as “browsewrap” agreements.4 Browsewrap agreements typically have hyperlinked notices posted on portions of a website, but the user’s consent is simply assumed by use of the website. Online agreements that require expressly manifested consent are known as “clickwrap” agreements. This consent can come about by many ways. Typically, most clickwrap agreements will require the user to click a button that states “I agree” or “I accept” prior to allowing the user to proceed to the website content.
There are also agreements that are considered by some courts to be a mix of the two—hybrid agreements. These hybrid agreements require some kind of manifested consent, but they do not directly display the agreement at issue. Instead, they often provide a hyperlink or a reference to the agreement at issue. These hybrid agreements constitute binding contracts where the user is provided with an opportunity to review the agreement at issue in the form of a hyperlink immediately under an “I Accept” button, and the user then clicks the “I Accept” button.9
The law on clickwrap, browsewrap, and hybrid agreements is becoming well developed. Generally speaking, clickwrap and hybrid agreements are typically enforceable, and browsewrap agreements require a more fact-specific analysis. But these consent issues are made particularly troublesome when dealing with children and games.
Gaming Kids and COPPA
Browser-based or tablet-based games for children are extremely popular, and a simple Google search for “video games for kids” pulls over 306 million results. Ranging from online roleplaying games to adventure-based learning, browser-based kids’ games provide low-cost interactive entertainment for young children. As the Federal Trade Commission (FTC) pointed out in a recent enforcement action against TinyCo (the maker of Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters, and Mermaid Resort), children are particularly attracted to games with certain types of subject matter, visual content, and language.10 Children’s games can “appeal to children by containing brightly-colored, animated characters from little animals or zoo creatures to tiny monsters, and by involving subject matters such as a zoo, tree house, or resort inspired by a fairy tale”11 Just like children’s television shows, children’s games have a distinct flavor and style designed to capture the attention of a child.
The makers of these games typically seek to monetize them to make a profit. To do so, companies typically enable microtransactions allowing in-game purchases for real dollars, use analytics and content sharing to collect and sell data, or display advertisements to those who play the games. This, in turn, typically requires the collection of data about (and from) the children who play them.
The Children’s Online Privacy Protection Act (COPPA) protects children under the age of 13 from certain practices.12 As per amendments made in 2013, COPPA requires all developers of games or applications that are directed to children under age 13—or that knowingly collect personal information from children under age 13—to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing any “personally identifiable information” from children.13
Until recently, “personally identifiable information” included categories like first and last name, physical address, email address, telephone number, or Social Security number. But the 2013 amendments to COPPA broaden “personally identifiable information” to include a photograph or video with a child’s image, an audio file that has a child’s voice, certain geolocation data, or even (in some circumstances) a picture taken by a child.14 A good example would be a photo that included geolocation data in the photo’s EXIF data sufficient to identify where a child lived—such as a picture taken by child on an iPhone of the child’s house, showing the exact location of the child’s home. It can also include screen or user names that function as online contact information, and persistent identifiers, such as cookies, IP addresses, and mobile device IDs, that can recognize users over time and across different websites or online services.
Under COPPA, game companies that collect personal information from children must:
- Give notice and get parental consent for personal information collected on games or applications from third parties, such as ad networks, unless an exception applies;
- Take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential; and
- Adhere to data retention and deletion requirements.15
Even a cursory review of many online browser-based games for kids shows that the consent relied on by many companies and platforms is on a browsewrap basis. These terms and conditions attempt to comply with COPPA by having passive language with parental consent. But this typically will not work—even if the child end user has actual or constructive knowledge of the website’s terms and conditions, the child’s consent is not enough. Parental consent is necessary, and that is not feasibly obtained by a simple browsewrap agreement where the parent is not the one who will be playing the browser-based game.
And the issues do not end with games. Yelp recently entered into a $450,000 settlement with the FTC for running afoul of COPPA.16 Yelp allows users who register with the site to write reviews of businesses and service providers. You can access Yelp via a smartphone application, or via its Internet website. Then, once you access the site, you upload a profile picture and photos to accompany your reviews (e.g., “This place was great—look at me eating food!”). A Yelper can also “friend” others on Yelp in a manner akin to Facebook or LinkedIn, and Yelp’s mobile application even uses geolocation to track its users.
Yelp was careful to state in its policies that it “is intended for general audiences and is not directed to children under 13,” as do many websites. Yelp also had age screening mechanisms and policies on its website that were not in place on the Yelp application at issue with the FTC. But even where policies are in place, simply stating that you do not allow children to use a website is not enough.
COPPA defines a “[w]eb site or online service directed to children” in a broader manner than you might expect.17 A website or online service can be “directed to children” because of the “use of animated characters or child-oriented activities and incentives” or “presence of child celebrities or celebrities who appeal to children.” It can also be “directed to children” if its operator has “actual knowledge” that it is collecting personal information from users under age 13, or from another online service that does so. However, a site is not “directed to children” if it “[d]oes not collect personal information from any visitor prior to collecting age information” and “[p]revents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13.”18
The FTC’s complaint against Yelp was simple. At the time, one could sign up for a Yelp account even when during the registration process the user entered a birthdate showing that he or she was under the age of 13. Thus, the FTC alleged that Yelp knew it was collecting information from users under age 13. According to the FTC, “several thousand” children between the ages of nine and 13 were able to register with Yelp.19 While their reviews were likely amusing, Yelp’s site did not follow the COPPA rule’s requirements—providing notice that it collected information from children on its website, providing notice to the parents of the children, and obtaining verifiable parental consent prior to collecting the information.
Kids’ Rights to Be Forgotten and Void Contracts
But the issues do not end with kids under age 13—the rules of the road are different for children under age 18 as well. For example, as of January 1, 2015, California’s children under age 18 will enjoy a new “right to be forgotten” thanks to the passage of a new California law titled Privacy Rights for California Minors in the Digital World.20 This new law requires the operator of an Internet website, online service, online application, or mobile application to permit minor users to remove content or information posted on the site, service, or application. It also requires the operator to provide notice to minors that they can remove content that they post, per this new right to be forgotten. There are exceptions to this rule—if the content or information was posted by a third party, or another law requires that the content or information be preserved, then the right to be forgotten does not apply.
This same right to be forgotten law has numerous other requirements now applicable to children under age 18. For example, it contains restrictions prohibiting the marketing and advertising of certain dietary supplements, tattoos, tanning, BB guns, tobacco, and alcohol to minors. Websites (and ad-driven games) directed to minors cannot market or advertise any of the prohibited products. General audience websites or games are also prohibited from advertising any of these taboo products “to a minor who the operator has actual knowledge is using” its website or game “if the marketing or advertising is specifically directed to that minor based upon information specific to that minor.”21
Additionally, minors (individuals under age 18) typically do not have the legal capacity to enter into contracts. While there are multiple statutorily based exceptions (and exceptions if the minor is emancipated), generally speaking a contract between a minor and an adult may be cancelled upon request of the minor, but is binding on the adult. Thus, it is not always a good idea to contract with minor children—even if over age 13. This issue can come up in the context of clickwrap agreements, such as in A.V. v. iParadigms, Ltd. Liab. Co.22
The iParadigms case was primarily reported based on its analysis of “fair use” issues under the Copyright Act. The case arose when a number of minor students were required by their high school teachers to submit school papers electronically, and to consent to an online agreement with Turnitin.com. Turnitin is an antiplagiarism website that cross-references various student works to determine if students are copying each other’s papers. While the primary issue was whether the website violated the students’ copyrights to their work when it archived them for future comparison with other student works (answer: no, it was considered fair use), clickwrap agreements and the age of majority came into issue.
Rather than a browsewrap agreement, Turnitin had a clickwrap agreement where the high school students clicked “I Agree” to acknowledge their acceptance of the terms of the clickwrap agreement. The iParadigms court had no issue with this form of consent, but the Virginia high school students were all under the age of 18 when they agreed to the clickwrap terms. In Virginia, “a contract with an infant is not void, only voidable by the infant upon attaining the age of majority.”23 The high school students thereby argued that because they were under age 18 at the time of entering into the contracts, they could not be bound by the contracts. The court found that the students could not use this doctrine to void the contract while simultaneously retaining the benefits of the contract—high school credit and standing to sue.
Turnitin caught a break, but you can easily wind up in a thorny situation when contracting with minors or relying on clickwrap or browsewrap agreements on the web. Careful analysis of your audience—and your agreement process—can help avoid these sorts of issues. If you have websites or games directed to children where you collect (or plan to collect) personal information, do not rely on passive consent. Even if the children are over age 13, the best practice is to obtain verifiable parental consent. Verifiable parental consent is defined by COPPA as “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice.”24 Helpfully, COPPA and the FTC provide nonexhaustive lists of ways to obtain this type of verifiable consent, including:
- Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan;
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent call a toll-free telephone number or connect to a videoconference staffed by trained personnel; and
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, where the parent’s identification is deleted by the operator from its records promptly after such verification is complete.25
These are tried and true methods, but as technology develops, newer and more efficient ways to verify parental consent will continue to arise. When in doubt, applicants can submit proposed methods to obtain consent to the FTC for vetting and potential approval.26
Failure to pay attention to issues surrounding the various wrap agreements and children can have big dollar consequences. As yet another example, Apple recently was forced to provide at least $32.5 million in consumer refunds to settle claims that it “billed consumers for millions of dollars of charges incurred by children in kids’ mobile apps without their parents’ consent.”27 Even if you do not think you contract with minors, be wary of that assumption and of your various wrap agreements. That’s a wrap!
1. See Marc Perton, Read Fine Print or GameStation May Own Your Soul, Consumerist (Apr. 16, 2010), http://consumerist.com/2010/04/16/read-fine-print-or-gamestation-may-own-your-soul/.
2. Forrest v. Verizon Commc’ns, Inc., 805 A.2d 1007, 1011 (D.C. 2002).
3. Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1175 (9th Cir. 2014) (citing Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 403 (2d Cir. 2004)).
4. Id. at 1176; In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058, 1073 (D. Nev. 2012).
5. See Treiber & Straub, Inc. v. UPS, Inc., 474 F.3d 379, 382–83, 385 (7th Cir. 2007) (finding a clickwrap process to have “provided adequate notice” to customers when it required clicking assent, repeated the disclaimer of liability several times, and referred to the pertinent parts of the contract that was also available on the business’s website); Van Tassell v. United Mktg. Grp., LLC, 795 F. Supp. 2d 770, 790 (N.D. Ill. 2011) (noting that because clickwrap agreements require affirmative action on the part of the user to manifest assent, courts regularly uphold their validity when challenged); Koresko v. RealNetworks, Inc., 291 F. Supp. 2d 1157, 1162–63 (E.D. Cal. 2003) (finding that clicking box marked “I agree” on website evinced express agreement to terms); DeJohn v. .TV Corp. Int’l, 245 F. Supp. 2d 913, 921 (C.D. Ill. 2003) (holding the clickwrap agreement a valid and enforceable contract and “[t]he fact that the contract is electronic does not affect this conclusion”); i.LAN Sys., Inc. v. NetScout Serv. Level Corp., 183 F. Supp. 2d 328, 338 (D. Mass. 2002) (holding that clicking “I agree” box is an appropriate way to form an enforceable contract); Stomp, Inc. v. NeatO, LLC, 61 F. Supp. 2d 1074, 1081 (C.D. Cal. 1999) (enforcing assent to terms by clicking “accept” button).
6. Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 30–31 (2d Cir. 2002).
7. Nguyen, 763 F.3d at 1176 (quoting Van Tassell, 795 F. Supp. 2d at 790).
8. Id. at 1177.
9. See Fteja v. Facebook, Inc., 841 F. Supp. 2d 829, 839–40 (S.D.N.Y. 2012); Swift v. Zynga Game Network, Inc., 805 F. Supp. 2d 904, 911–12 (N.D. Cal. 2011).
10. See Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief at 5–6, United States v. TinyCo, Inc., No. 3:14-cv-04164 (N.D. Cal. Sept. 16, 2014), available at http://www.ftc.gov/system/files/documents/cases/140916tinycocmpt.pdf.
11. Id. at 6.
12. 15 U.S.C. §§ 6501 et seq.
13. Id. § 6502; 16 C.F.R. pt. 312.
14. 16 C.F.R. § 312.2.
15. Id. at pt. 312.
16. Stipulated Order for Permanent Injunction and Civil Penalty Judgment, United States v. Yelp Inc., No. 3:14-cv-04163 (N.D. Cal. Sept. 16, 2014), available at http://www.ftc.gov/system/files/documents/cases/140917yelpstip.pdf.
17. 16 C.F.R. § 312.2.
19. Complaint for Permanent Injunction, Civil Penalties and Other Relief, Yelp Inc., No. 3:14-cv-04163 (N.D. Cal. Sept. 16, 2014), available at http://www.ftc.gov/system/files/documents/cases/140917yelpcmpt.pdf.
20. Cal. Bus. & Prof. Code §§ 22580 et seq.
21. Id. § 22580.
22. 544 F. Supp. 2d 473, 480 (E.D. Va. 2008).
23. Zelnick v. Adams, 561 S.E.2d 711, 715 (Va. 2002).
24. 15 U.S.C. § 6501(9).
25. See 16 C.F.R. § 312.5; Complying with COPPA: Frequently Asked Questions, Bureau of Consumer Protection Bus. Center, http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions#Photos Videos and Audio (last revised July 16, 2014).
26. See, e.g., Letter from April J. Tabor, Acting Secretary, FTC, to Marshall C. Harrison, CEO, Imperium, LLC (Dec. 23, 2013), http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf (approving Imperium’s proposed methodology to obtain parental consent using knowledge-based authentication).
27. Press Release, FTC, Apple Inc. Will Provide Full Consumer Refunds of At Least $32.5 Million to Settle FTC Complaint It Charged for Kids’ In-App Purchases without Parental Consent (Jan. 15, 2014), http://www.ftc.gov/news-events/press-releases/2014/01/apple-inc-will-provide-full-consumer-refunds-least-325-million.