WEB SITE RULES – PRIVACY LAW
Every Web site should have a privacy policy even if all it says is that the site collects no information whether actively or passively by using cookies or Web bugs

Mary M. Luria (mluria@dglaw.com)
Gary A. Kibel (gkibel@dglaw.com)

e-mail this article URL

Web site owners and sponsors have been invited by everyone from the FTC, to Congress, to the state and federal courts to write their own private laws (a/k/a site rules) for their Web sites. As long as the site rules are not hidden (and in some cases as long as there are user “reminders” at crucial times, such as privacy statement click-throughs to the privacy portions of the rules before the user submits personally identifiable information), the user will be bound by the site rules and the site owner will have the rights specified in the rules, as well as a range of remedies against the user who breaks the rules – almost always an injunction, but sometimes damages and, in egregious cases, enhanced monetary relief. So what site rules do you put on your site today?

It is axiomatic that all publicly accessible U.S.-oriented Web sites must post privacy rules – usually called policies, statements or disclosures – explaining the site’s information collection practices and telling the site user what the site owner may do with the information collected. It may at first seem odd to refer to privacy statements as site rules but since the present U.S. (unlike the EEC) approach to privacy to date has been to require disclosure but generally not to regulate substance (sometimes to require disclosure coupled with a requirement of the user’s active or passive assent), the site owner in effect writes his own rules when he writes the privacy statement. Every Web site should have a privacy policy even if all it says is that the site collects no information whether actively or passively by using cookies or Web bugs (yes, there still are such sites, but they are few). The statement can be part of the general site rules, but should be separately accessible by its own click-through command. The statement should give the site owner the flexibility to use the information as he intends today with the possibility that the business may change and he may want to make other uses of the information to deal with tomorrow’s business needs. The required disclosures are clear. What is collected, how is it collected and stored, how is it used, with whom is it shared and for what purposes, what security measures are used to protect it and how may the user have it corrected or deleted? Plain English should be used in drafting and no puffery or promises about the protecting privacy should be included which the site owner will not be willing to keep. Always add that the site owner may disclose and transfer the information to consultants providing services in connection with the site and to order fulfillment operations, to affiliates (possibly even to employees of the same company in another division operating under a different brand name and appearing to the user to be a separate entity), to its business “partners”, to purchasers of stock or assets (whether in negotiated transactions or takeovers or in bankruptcy) –possibly, also, to third parties selected by the site owner who offer a range of products and services which may be “of interest” to the user. The site owner may not be planning any of these today but will not want to find his hands tied tomorrow when he does wish to do one or all of the above. While the site owner should always reserve the right to change the privacy statement in the future, information collected under earlier, more restrictive statements must be handled in accordance with the statement in effect at the time the information was submitted by the user and collected by the site owner (a database management nightmare if the privacy statement changes several times). Despite the clearest possible public pronouncements by the FTC and widely publicized enforcement actions, there still are sites without privacy notices. Given the statistics on how few people read them and the even fewer people who are deterred from using the site by what the site rules say, it is surprising that many site owners hesitate to give themselves broad flexible rights to use and disclose the information in connection with their ever changing business needs.

But privacy statements are just the beginning of site rules, even if they are the sine qua non of all rules. A number of cases upholding Web click contracts, applying concepts of electronic “trespass” on the Web site, and newer more creative applications of the amended Computer Fraud and Abuse Act (CFAA) invite the Web site owner to lay down his own private laws about other aspects of site use, because the user will be bound to “obey” these other site rules on one or more of several legal theories. These theories range from breach of the Web click contract the user assented to by clicking or merely using the site after the contract terms were made available for viewing on the site, to electronic trespass if the site is used in violation of use rules, to a CFAA violation if the site is used “without authorization” or in a manner which “exceeds authorized access” (provided, in the last case, that this results in loss or damage of at least $5,000 in one year, including “impairment to the integrity or availability of data, a program, a system or information”). This is the broadest possible invitation to the site owner to post rules on the site, coupled with ample legal means to enforce these rules. While it is preferable to have a Web click routine (even one where “I agree” is pre-checked as the default option) to elicit the user’s assent, there are cases that bind the user who has a clear opportunity to see the site rules (whether or not this opportunity is invoked), particularly where the rules are easily accessible by click-through at or near sign on and clearly state that use of the site constitutes consent.

Your rules can go far beyond your rights under copyright, trademark and trade secret law – can even restrict the use of information made publicly available on or through your site. At a minimum the site owner should state who is authorized to use the site and for what purposes. Prohibited uses may also be listed: use to disrupt the site, spamming, use by competitors or other third parties to damage the site owner by disparaging the site owner or by gathering information about the site owner’s business or about users of his site to aid in competition with the site owner or to benefit a noncompeting business by permitting it to “free ride” on the information rather than paying the site owner for a license to use the information. The court in Register.com, Inc. v. Verio, Inc. prohibited under CFAA a third party’s marketing use of publicly available "Whois" data gathered by a robot from the domain register’s site, citing the site rules on authorized use and the “strain” placed on the site by robotic searches – despite the legal requirement imposed on the domain register that Whois information be made publicly available. Other cases prohibit under CFAA the use of a “scraper” program to collect price information from a public tour site (E.F. Cultural Travel v. Explorica) and the use of “hacking” to obtain member information from a dating site for the purpose of contacting members to hijack them to a pornographic Web site from which they cannot exit by using the “back” button (Your Net Dating, LLC v. Mitchell).

However surprising it may seem in the context of a publicly available Web site, the site owner can create his own little kingdom and enact his own laws. The site user who violates site rules can, at a minimum, be exiled by injunctive relief; if the user has benefited from his violation, or has damaged the site even slightly, the user may also be ordered to pay damages to the site owner. What site owner would not post site rules? All kings, dictators, presidents and legislators have done the same for all time. Even site owners who would rarely or never litigate to enforce rules (e.g., celebrity sites dealing with fans) will want to post rules for the deterrent effect they may have on the well intentioned user


© 2001 Davis & Gilbert LLP