Times They Are A-Changin’… and Your Website Terms and Policies Should Too

It is a good time to review your website and its accompanying terms and conditions and privacy policies. From year to year, the legal landscape evolves with changes being driven by technological advancements, shifting business models, regulatory activity, legislative attention, and judicial rulings. As such, website operators must be aware of the changes that impact their existing policies and practices and any resulting liability risks. This alert provides a brief summary of issues and recent legal events that may affect your website and governing policies.

  • A recent California case makes it possible for any business that conducts business online to be sued in California court for failing to provide reasonable accommodations for disabled site users. This means that websites should incorporate accessibility solutions that allow impaired or disabled users to navigate the website or mobile application.
  • New Jersey law prohibits the use of any contractual terms that (i) violate state law or any general responsibility of a seller of goods; (ii) waive any consumer rights; or (iii) include blanket savings clauses (e.g., “void where prohibited”). In addition to auditing your terms of sale, we advise that operators move all terms of sale for goods and services to a separate, standalone policy.
  • The procedure employed to effect agreement to the terms is often subject to judicial scrutiny. Best practices involve the use of a so-called “click-wrap” procedure to ensure that users are bound to the published terms, which may include scroll-through functionality or hyperlinks, checkboxes (not pre-checked), redundant affirmations, and the look, feel, and proximity of material terms and disclaimers.
  • Courts are less likely to enforce certain substantive terms such as choice of law, venue selection, and dispute resolution procedures such as mandatory arbitration. The indispensable requirements of contract formation – sufficient notice, assent, and consideration – will determine whether such terms are enforced.
  • Sites that include interactive features and allow users to upload or post content should consider potential issues such as intellectual property infringement, libel and defamation, and rights of publicity. Any site that allows for the publication of user-generated content should be aware of the Digital Millennium Copyright Act Safe Harbor requirements along with newly proposed changes to Section 230 of the Communications Decency Act.
  • It is always tempting to copy and paste terms from a third-party site. Still, operators should beware that while terms are not generally required by law, publishing false or deceptive terms, or misrepresenting your actual practices, may lead to unnecessary liability. Your terms should be specifically tailored to your practices and site users.
  • Changes to your terms and policies may not be enforced unless the user is provided legally sufficient notice and then consents to the modified terms. To this end, best practices involve the utilization of a notification process (e.g., email, splash) plus an additional click-through procedure.
  • Recent cases suggest that courts are more likely to enforce terms conveyed through plain language, presented using conspicuous text and formatting (e.g., bold, underlined) on uncluttered pages, and through pages optimized for mobile devices.
  • Organizations should review their website and/or mobile application privacy policies and practices. States are adopting new privacy laws which could require revisions to privacy policies.  In March 2021, Virginia adopted a new state privacy law.  In November 2020, California voters approved a ballot initiative, the California Privacy Rights Act (“CPRA”), which significantly revises and expands the California Consumer Privacy Act of 2018.  Organizations have until January 1, 2023, to come into compliance with both the new Virginia law and the CPRA and should consider taking steps to comply, when applicable, sooner rather than later.  A number of other states also are considering new privacy legislation, which could require changes to privacy policies and related practices.
  • Organizations should also review their website and mobile application privacy practices to ensure that they are consistent with the website’s privacy policy.  Failure of a website operator to comply with the promises made in its privacy policy could result in deceptive acts or practices claim by the Federal Trade Commission, state attorney general, or other regulators.
  • Organizations should ensure that the technical aspects of their websites and mobile applications also comply with the promises the organization sets out in its privacy policy. In January 2021, for example, the FTC brought an enforcement action against the operator of a health-related mobile application, alleging that the application developer transmitted sensitive health information to Facebook and other third parties despite privacy promises to the contrary.  According to the FTC, this happened when the developer, who was using software development kits from Facebook and various other third-party partners, transmitted application events that were coded based on health events of its users, such as pregnancy, rather than using more generic event terminology that would not have revealed health information to the third-party partners.
  • Organizations with an international focus should also consider their obligations, if any, under the privacy laws of the foreign jurisdictions where they are doing business through their websites and mobile applications.  An increasing number of international jurisdictions have data protection laws that could apply and need to be addressed in the organization’s privacy policy and related practices.  The European Union’s General Data Protection Regulation and Brazil’s Law for the General Protection of Data are two examples.  Many other countries have adopted data protection laws that may need to be considered as well if the organization is doing business or collecting personal information in those markets as well, such as Canada, Mexico, Australia, Argentina, Japan, New Zealand, Singapore, and South Africa to name a few.


Kevin L. Coy is a partner in Arnall Golden Gregory LLP’s Washington D.C. office and co-chair of AGG’s Privacy practice. Kevin can be reached at kevin.coy@agg.com.

Matthew V. Wilson, Esq., partner at Arnall Golden Gregory LLP, is co-chair of the Entertainment and Sports team. Matt can be reached at matthew.wilson@agg.com.