chevron-down Created with Sketch Beta.


Is Your Website a Ticking Time Bomb? Ten Tips for Defusing Litigation Risk

Michael P Daly and Matthew Adler


  • The time to stress-test your website is now.
  • There are many issues that website designers and contract drafters should review with the assistance of experienced counsel.
  • You likely need mostly modest modifications to customer-facing documents.
Is Your Website a Ticking Time Bomb? Ten Tips for Defusing Litigation Risk
Deagreez via Getty Images

One could reasonably assume that, more than 40 years after the birth of the internet, the rules regarding the form and function of commercial websites would be well settled and widely known. But just the opposite is true because websites are governed by overlapping laws—some of which predate the internet—at the federal and state level. And a growing number of private lawyers and public regulators would be more than happy to use the ambiguities in those laws to file suit seeking millions if not billions in aggregate statutory penalties for every man, woman, and child who has ever visited your website. Indeed, last year saw the plaintiffs’ bar invest not only in the website-accessibility cases that have been a cottage industry for years but also in things like session-replay and conversion-tracking technologies that are becoming a new frontier for class-action litigation.

In short, the time to stress-test your website is now. To that end, we offer below a list—albeit a nonexhaustive one—of things to consider when designing a website or drafting a website’s terms of use and other customer-facing policies. After all, the best way to reduce the risk of class actions is to avoid them altogether—and the best way to do that is to stay ahead of the plaintiffs’ bar.

No. 1: Session-Replay Litigation

Last year saw an explosion of class actions claiming that session-replay technologies—which are used to improve services by better understanding how users interact with a website—violate state statutes like the California Invasion of Privacy Act and the Pennsylvania Wiretapping and Electronic Surveillance Control Act. Pennsylvania became the epicenter of such suits after the U.S. Court of Appeals for the Third Circuit dramatically—and unexpectedly—expanded the scope of its wiretap statute by rejecting the direct-party exception to liability that applies in many other states. See Popa v. Harriet Carter Gifts Inc., 52 F.4th 121 (3d Cir. 2022). Businesses should review their practices and disclosures now, if they haven’t already, as this trend shows no sign of slowing.

No. 2: Conversion-Tracking Technology

Last year also saw an uptick in class actions challenging consumer-facing websites that post video content and simultaneously use the Facebook Pixel, a piece of code that can track certain actions on a website. Such data can help businesses better understand their customers and better deliver content to them.

The plaintiffs in this new wave of litigation allege that the use of this relatively new technology (i.e., posting video content while using the Pixel) violates a nearly 40-year-old federal statute called the Video Privacy Protection Act (VPPA). 18 U.S.C § 2710. The VPPA generally prohibits a “video tape service provider” from “knowingly” disclosing “personally identifiable information” (including that which “identifies a person as having requested or obtained specific video materials or services”) to third parties without a stand-alone, “informed, written consent” from the consumer. Id. § 2710(b). The law creates a private right of action and allows for $2,500 in statutory damages plus the ability to seek punitive damages, attorney fees, and injunctive relief. Id. § 2710(c).

Several companies—primarily media outlets—have been sued under this new theory. The virtually identical suits allege that websites shared viewers’ personally identifiable information without their consent. The defendants have responded by arguing that the VPPA does not apply in this context, that they are not “video tape service providers,” that they did not disclose “personally identifiable information,” and that they did not “knowingly” disclose data.

Early challenges have not been universally successful, which indicates that these cases could continue well into 2023. And although the actions may not succeed by the time of class certification, summary judgment, or trial, the rising tide of these cases suggests that any business that posts video content and uses the Pixel should closely examine its privacy policies and consent processes to mitigate potential risk. For example, businesses may elect to discontinue or limit the use of the Pixel, or otherwise use a disclosure-and-consent process (a banner or pop-up) that must be accepted before viewing videos.

No. 3: Accessibility and the ADA

Title III of the Americans with Disabilities Act (ADA) prohibits discrimination against people with disabilities in “places of public accommodation”—a term that was meant to apply to brick-and-mortar establishments like stores, restaurants, and other places that are open to the public. As commerce has moved online, however, plaintiffs have argued that websites are “places of public accommodation” as well. That has divided the courts, which have developed various tests—sometimes depending on whether the site has a “nexus” to brick-and-mortar sales—for determining whether a website is subject to the ADA.

In any event, the plaintiffs’ bar continues to threaten or file suit in favorable jurisdictions, seeking injunctions and awards of their fees and costs, which in protracted litigation can be substantial. Businesses should therefore consider using a vendor to assess their website’s accessibility and, if necessary, to make adjustments consistent with guidelines announced last year by the Department of Justice. See Dep’t of Just., Guidance on Web Accessibility and the ADA (Mar. 18, 2022).

No. 4: The European Union’s GDPR

In addition to the ADA, data privacy provides another key compliance touchpoint for any website. The starting point in this context is arguably the most sweeping data privacy regulation to date: the European Union’s General Data Protection Regulation (GDPR).

The GDPR’s requirements are complex, to say the least. In simple terms, however, it regulates how companies collect and maintain personal data (i.e., data that can be used to identify a person), and it imposes steep fines on companies that fail to comply. It is premised on seven key principles related to data processing and requires technical and organizational measures to secure personal data (e.g., a privacy policy with specified components). It also mandates notice of certain data breaches and specifies when (and how) to obtain consent to process certain data.

The GDPR has globe-spanning compliance obligations for any business, regardless of its location, that collects the personal data of European citizens. Companies large and small have had to grapple with its requirements. Today, any business with any online presence must account for the GDPR, and no discussion of website hygiene would be complete without mentioning this landmark regulation. At a minimum, the regulation’s rules for the contents of privacy policies could provide a helpful benchmark even for those businesses that conclude they are not subject to the GDPR.

No. 5: U.S. Data Privacy Laws

Although the GDPR impacts many companies that interact with European consumers, federal and state laws in the United States complement the regulation. Thus, even if a website is not subject to the GDPR, it must still account for a patchwork of domestic data privacy laws such as the Children’s Online Privacy Protection Act (COPPA); the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); the California Online Privacy Protection Act (CalOPPA); and various other data privacy laws passed in other states. Each of these laws has its own focus:

  • The COPPA imposes certain requirements on website operators that serve to protect the personal information of children under 13 years of age.
  • The CalOPPA requires any “commercial website” that collects personally identifiable information from California residents to conspicuously post a privacy policy that meets specific requirements. Website operators that fail to comply could face private suits or public enforcement actions seeking civil penalties, among other remedies.
  • The CCPA, often characterized as the stateside counterpart to the GDPR, is too detailed and broad to fully summarize here. Generally, however, the law applies to businesses that have a certain footprint (e.g., they have a gross revenue of over $25 million or buy or sell personal information for over 50,000 consumers); and it gives California consumers the right to know and control what personal information is collected from them, the right to request that a business not share or sell such information, and other rights related to personal data. It also creates a private right of action related to data breaches. The law is the source of the ubiquitous “Do Not Sell My Personal Information” link on website home pages. Another key feature is that it requires that privacy policies describe the various rights afforded by the act.
  • The recent CPRA, effective January 1, 2023, builds on the CCPA by adding new rights for Californians to correct inaccurate personal information that a business has obtained, as well as greater protections to limit the disclosure of sensitive personal information.

Finally, many other states—including Connecticut, Maryland, Massachusetts, New York, Utah, and Virginia—have data privacy laws that are similar to those in California. And it is highly likely that more will join as more business moves from traditional brick-and-mortar stores to the internet. Thus, for any business that operates a website, it is indisputably necessary to ensure compliance with these federal and state data privacy laws.

No. 6: The Pre-Sale Availability Rule

Last year witnessed the birth of a species of class action invoking the Pre-Sale Availability Rule (PSAR), which the Federal Trade Commission (FTC) enacted under the Magnuson-Moss Warranty Act. The PSAR imposes requirements on sellers and warrantors of consumer products that have written warranties and cost more than $15. See 16 C.F.R. § 702.3. Insofar as retailers are concerned, the PSAR requires that the text of such warranties be made “readily available for examination by the prospective buyer.” Id. § 702.3(a). Retailers can do that by (a) displaying the warranty “in close proximity” to the product; or (b) furnishing the warranty “upon request prior to sale,” but only if they also have signs that (i) are placed in “prominent locations in the store or department,” (ii) are “reasonably calculated to elicit the prospective buyer’s attention,” and (iii) “advis[e] such prospective buyers of the availability of warranties upon request.” Id. §§ 702.3(a)(1), 702.3(a)(2). Although those requirements were written with brick-and-mortar stores in mind, the FTC has said that they apply with equal force to online sales. See Fed. Trade Comm’n, .com Disclosures: How to Make Effective Disclosures in Digital Advertising 3 n.7 (Mar. 2013) (“For the most part, rules and guides that use terms such as ‘written,’ ‘writing,’ and ‘printed’ apply online. . . . The requirement to make warranties available at the point of purchase can be accomplished easily online by, for example, using a clearly-labeled hyperlink, in close proximity to the description of the warrantied product, such as ‘get warranty information here’ to lead to the full text of the warranty, and presenting the warranty in a way that it can be preserved either by downloading or printing.”). It follows that retailers with an online presence—which is to say virtually all retailers—should keep this in mind as they design their websites’ purchase paths.

No. 7: Arbitration Provisions

Arbitration provisions have been evolving for years. The product of resistance by plaintiffs, review by judges, and refinement by business, modern arbitration agreements benefit both businesses and consumers by creating an alternative to the judicial system’s two traditional methods of resolving consumer disputes: inefficient class actions and impractical individual actions. But the recent trend of so-called mass arbitration calls for immediate review of such agreements—even those that refreshed just a few years ago.

Mass arbitrations occur when thousands of claimants—generally employees but sometimes consumers or other plaintiffs—file demands for individual arbitration at the same time. This is done not because their lawyers want thousands of arbitrations but because they want to force the defendant to choose between paying thousands of filing fees or settling on a class-wide basis. One court colorfully quipped that a defendant in this scenario had “traded a giant incoming meteor for a landslide of pebbles.” Careful companies are revising their arbitration provisions—for example by recalibrating fee-shifting provisions and adding bellwether provisions—to make mass arbitrations less likely.

No. 8: Choice-of-Law Provisions

Some terms of use have choice-of-law provisions that provide for the application of one state’s law—generally the state in which the business is headquartered—to everyone who visits the site. There may be compelling reasons to do that in some circumstances. But businesses should think twice before reflexively doing so because differences in state laws often create individualized issues that predominate over any supposedly common ones. Making the law of one state apply to everyone takes that arrow out of the defendant’s quiver—often with no articulable business benefit in return.

No. 9: Contract-Formation Procedures

There are two kinds of online contracts: “clickwrap” contracts, which require consumers to manifest their assent by (for example) clicking a button to that effect; and “browsewrap” contracts, which are made available via a link, usually in the familiar footer at the bottom of the page, but do not require consumers to manifest their assent by doing anything other than using the site. Although courts routinely enforce properly implemented clickwrap contracts, some have been reluctant to enforce browsewrap contracts, at least when there is no independent evidence that the consumer had notice or knowledge of the agreement. Businesses should therefore think carefully about whether a particular provision is one that they want to be able to enforce in a dispute with a consumer—and, if it is, they should deploy that contract accordingly.

No. 10: Online Cancellations

As automatically renewing subscriptions continue to grow in popularity, businesses should note a new trend in the automatic renewal laws (ARLs) that regulate such contracts. A handful of states have imposed additional requirements related to cancellation methods for renewing agreements. These states mandate that for a renewing contract accepted online, a business must also allow the consumer to cancel online. Although this type of requirement is currently only in effect in certain jurisdictions (e.g., California, Delaware, Idaho, Illinois, New York, Tennessee, Vermont, and Virginia), it is safe to assume that other states will follow suit. Indeed, some state legislatures, such as in Michigan, have proposed bills that would include an online cancellation requirement.

California’s ARL goes even further. It not only requires online cancellation for renewing contracts accepted on the internet, but, as of July 2022, it also regulates how a consumer must be permitted to cancel online—that is, either through a “prominently located direct link or button” or an “immediately accessible termination email” that can be sent without additional information (e.g., an automatically generated, preformatted cancellation email that the consumer can easily access by clicking a link on the business’s website). If the past is a prologue, California’s requirements will serve as a template for other ARLs. It would therefore be prudent even for companies that do not do business in the Golden State to consider complying with these additional requirements now.

Looking Ahead

To be sure, there are substantive and procedural defenses to the theories of liability noted above. Each could be the subject of a separate article—or series of articles. For present purposes, then, we have tried only to identify issues that website designers and contract drafters should review with the assistance of experienced counsel. Fundamentally, it is often the case that class-action risk can be mitigated—if not eliminated—by making mostly modest modifications to terms and conditions, terms of use, privacy policies, and other customer-facing documents.