No. 3: Accessibility and the ADA
Title III of the Americans with Disabilities Act (ADA) prohibits discrimination against people with disabilities in “places of public accommodation”—a term that was meant to apply to brick-and-mortar establishments like stores, restaurants, and other places that are open to the public. As commerce has moved online, however, plaintiffs have argued that websites are “places of public accommodation” as well. That has divided the courts, which have developed various tests—sometimes depending on whether the site has a “nexus” to brick-and-mortar sales—for determining whether a website is subject to the ADA.
In any event, the plaintiffs’ bar continues to threaten or file suit in favorable jurisdictions, seeking injunctions and awards of their fees and costs, which in protracted litigation can be substantial. Businesses should therefore consider using a vendor to assess their website’s accessibility and, if necessary, to make adjustments consistent with guidelines announced last year by the Department of Justice. See Dep’t of Just., Guidance on Web Accessibility and the ADA (Mar. 18, 2022).
No. 4: The European Union’s GDPR
In addition to the ADA, data privacy provides another key compliance touchpoint for any website. The starting point in this context is arguably the most sweeping data privacy regulation to date: the European Union’s General Data Protection Regulation (GDPR).
The GDPR’s requirements are complex, to say the least. In simple terms, however, it regulates how companies collect and maintain personal data (i.e., data that can be used to identify a person), and it imposes steep fines on companies that fail to comply. It is premised on seven key principles related to data processing and requires technical and organizational measures to secure personal data (e.g., a privacy policy with specified components). It also mandates notice of certain data breaches and specifies when (and how) to obtain consent to process certain data.
The GDPR has globe-spanning compliance obligations for any business, regardless of its location, that collects the personal data of European citizens. Companies large and small have had to grapple with its requirements. Today, any business with any online presence must account for the GDPR, and no discussion of website hygiene would be complete without mentioning this landmark regulation. At a minimum, the regulation’s rules for the contents of privacy policies could provide a helpful benchmark even for those businesses that conclude they are not subject to the GDPR.
No. 5: U.S. Data Privacy Laws
Although the GDPR impacts many companies that interact with European consumers, federal and state laws in the United States complement the regulation. Thus, even if a website is not subject to the GDPR, it must still account for a patchwork of domestic data privacy laws such as the Children’s Online Privacy Protection Act (COPPA); the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); the California Online Privacy Protection Act (CalOPPA); and various other data privacy laws passed in other states. Each of these laws has its own focus:
- The COPPA imposes certain requirements on website operators that serve to protect the personal information of children under 13 years of age.
- The CalOPPA requires any “commercial website” that collects personally identifiable information from California residents to conspicuously post a privacy policy that meets specific requirements. Website operators that fail to comply could face private suits or public enforcement actions seeking civil penalties, among other remedies.
- The CCPA, often characterized as the stateside counterpart to the GDPR, is too detailed and broad to fully summarize here. Generally, however, the law applies to businesses that have a certain footprint (e.g., they have a gross revenue of over $25 million or buy or sell personal information for over 50,000 consumers); and it gives California consumers the right to know and control what personal information is collected from them, the right to request that a business not share or sell such information, and other rights related to personal data. It also creates a private right of action related to data breaches. The law is the source of the ubiquitous “Do Not Sell My Personal Information” link on website home pages. Another key feature is that it requires that privacy policies describe the various rights afforded by the act.
- The recent CPRA, effective January 1, 2023, builds on the CCPA by adding new rights for Californians to correct inaccurate personal information that a business has obtained, as well as greater protections to limit the disclosure of sensitive personal information.
Finally, many other states—including Connecticut, Maryland, Massachusetts, New York, Utah, and Virginia—have data privacy laws that are similar to those in California. And it is highly likely that more will join as more business moves from traditional brick-and-mortar stores to the internet. Thus, for any business that operates a website, it is indisputably necessary to ensure compliance with these federal and state data privacy laws.
No. 6: The Pre-Sale Availability Rule
Last year witnessed the birth of a species of class action invoking the Pre-Sale Availability Rule (PSAR), which the Federal Trade Commission (FTC) enacted under the Magnuson-Moss Warranty Act. The PSAR imposes requirements on sellers and warrantors of consumer products that have written warranties and cost more than $15. See 16 C.F.R. § 702.3. Insofar as retailers are concerned, the PSAR requires that the text of such warranties be made “readily available for examination by the prospective buyer.” Id. § 702.3(a). Retailers can do that by (a) displaying the warranty “in close proximity” to the product; or (b) furnishing the warranty “upon request prior to sale,” but only if they also have signs that (i) are placed in “prominent locations in the store or department,” (ii) are “reasonably calculated to elicit the prospective buyer’s attention,” and (iii) “advis[e] such prospective buyers of the availability of warranties upon request.” Id. §§ 702.3(a)(1), 702.3(a)(2). Although those requirements were written with brick-and-mortar stores in mind, the FTC has said that they apply with equal force to online sales. See Fed. Trade Comm’n, .com Disclosures: How to Make Effective Disclosures in Digital Advertising 3 n.7 (Mar. 2013) (“For the most part, rules and guides that use terms such as ‘written,’ ‘writing,’ and ‘printed’ apply online. . . . The requirement to make warranties available at the point of purchase can be accomplished easily online by, for example, using a clearly-labeled hyperlink, in close proximity to the description of the warrantied product, such as ‘get warranty information here’ to lead to the full text of the warranty, and presenting the warranty in a way that it can be preserved either by downloading or printing.”). It follows that retailers with an online presence—which is to say virtually all retailers—should keep this in mind as they design their websites’ purchase paths.
No. 7: Arbitration Provisions
Arbitration provisions have been evolving for years. The product of resistance by plaintiffs, review by judges, and refinement by business, modern arbitration agreements benefit both businesses and consumers by creating an alternative to the judicial system’s two traditional methods of resolving consumer disputes: inefficient class actions and impractical individual actions. But the recent trend of so-called mass arbitration calls for immediate review of such agreements—even those that werear.org/gr refreshed just a few years ago.
Mass arbitrations occur when thousands of claimants—generally employees but sometimes consumers or other plaintiffs—file demands for individual arbitration at the same time. This is done not because their lawyers want thousands of arbitrations but because they want to force the defendant to choose between paying thousands of filing fees or settling on a class-wide basis. One court colorfully quipped that a defendant in this scenario had “traded a giant incoming meteor for a landslide of pebbles.” Careful companies are revising their arbitration provisions—for example by recalibrating fee-shifting provisions and adding bellwether provisions—to make mass arbitrations less likely.
No. 8: Choice-of-Law Provisions
Some terms of use have choice-of-law provisions that provide for the application of one state’s law—generally the state in which the business is headquartered—to everyone who visits the site. There may be compelling reasons to do that in some circumstances. But businesses should think twice before reflexively doing so because differences in state laws often create individualized issues that predominate over any supposedly common ones. Making the law of one state apply to everyone takes that arrow out of the defendant’s quiver—often with no articulable business benefit in return.
No. 9: Contract-Formation Procedures
There are two kinds of online contracts: “clickwrap” contracts, which require consumers to manifest their assent by (for example) clicking a button to that effect; and “browsewrap” contracts, which are made available via a link, usually in the familiar footer at the bottom of the page, but do not require consumers to manifest their assent by doing anything other than using the site. Although courts routinely enforce properly implemented clickwrap contracts, some have been reluctant to enforce browsewrap contracts, at least when there is no independent evidence that the consumer had notice or knowledge of the agreement. Businesses should therefore think carefully about whether a particular provision is one that they want to be able to enforce in a dispute with a consumer—and, if it is, they should deploy that contract accordingly.
No. 10: Online Cancellations
As automatically renewing subscriptions continue to grow in popularity, businesses should note a new trend in the automatic renewal laws (ARLs) that regulate such contracts. A handful of states have imposed additional requirements related to cancellation methods for renewing agreements. These states mandate that for a renewing contract accepted online, a business must also allow the consumer to cancel online. Although this type of requirement is currently only in effect in certain jurisdictions (e.g., California, Delaware, Idaho, Illinois, New York, Tennessee, Vermont, and Virginia), it is safe to assume that other states will follow suit. Indeed, some state legislatures, such as in Michigan, have proposed bills that would include an online cancellation requirement.
California’s ARL goes even further. It not only requires online cancellation for renewing contracts accepted on the internet, but, as of July 2022, it also regulates how a consumer must be permitted to cancel online—that is, either through a “prominently located direct link or button” or an “immediately accessible termination email” that can be sent without additional information (e.g., an automatically generated, preformatted cancellation email that the consumer can easily access by clicking a link on the business’s website). If the past is a prologue, California’s requirements will serve as a template for other ARLs. It would therefore be prudent even for companies that do not do business in the Golden State to consider complying with these additional requirements now.
Looking Ahead
To be sure, there are substantive and procedural defenses to the theories of liability noted above. Each could be the subject of a separate article—or series of articles. For present purposes, then, we have tried only to identify issues that website designers and contract drafters should review with the assistance of experienced counsel. Fundamentally, it is often the case that class-action risk can be mitigated—if not eliminated—by making mostly modest modifications to terms and conditions, terms of use, privacy policies, and other customer-facing documents.