By UpCounsel Corporate Attorney Ira Bornstein

So, you’re ready to attempt your first foray into e-commerce. Your attention may have been focused on the business aspects of your website and/or app, but have you given proper attention to the legal aspects?

You must have a terms of use and privacy policy for your website, and if you have an app it is strongly recommended that you also have your own End User License Agreement (EULA).

The problem is that those documents mean nothing if your website and/or app are not properly designed. The reason for this is that your website and/or app must be set up so that a court will consider those documents to be binding contracts. How do you do that?

Browsewrap Versus Clickwrap

There are basically two ways to set up your website and/or app: browsewrap and clickwrap. A browsewrap agreement does not require an affirmative click by the user. Merely by using the website, the user agrees to the terms and conditions. In contrast, a clickwrap agreement requires that the user affirmatively agree to the website’s terms and conditions by clicking on a checkbox.

However, not all clickwrap agreements are upheld by the courts, just as not all browsewrap agreements are rejected. Ultimately, the design of your website will determine whether or not a clickwrap agreement (or even a browsewrap agreement) is enforced.

Based upon the most recent court decisions, it is our recommendation that all websites and/or apps be designed so that the terms of use and privacy policy are determined to be enforceable clickwrap agreements. But make sure that you consult an experienced technology lawyer to insure that your website and/or app are properly designed. Otherwise, no matter how finely crafted your terms of use and privacy policy might be, they will not be enforceable.

Of course, your terms of use, privacy policy and EULA must still contain the proper provisions to protect you and your business from claims and lawsuits. This is especially so considering that websites and apps have become the new darlings of the plaintiffs’ bar. Your terms of use, privacy policy and EULA must be tailored to your specific business. Do not simply copy what someone else is using, since it won’t necessarily provide the protection that your business requires.


What are some of the statutes that are likely to be applicable to your business? If your website is going to host user-generated content, then make sure that you are compliant with the Digital Millennium Copyright Act (DMCA). Section 512(c) of the DMCA provides a safe harbor to online service providers by granting them immunity from monetary damages arising from claims of copyright infringement arising from content posted by your users. However, you must strictly comply with the requirements of the DMCA in order to gain the protection of its safe harbor provision.


Is your website and/or app directed to children under 13 and does it collect Personally Identifiable Information (PII) from children, or do you have actual knowledge that you are collecting PII from children?

If so, then you must comply with the Children’s Online Privacy Protection Act (COPPA). There are very specific disclosures mandated by COPPA that must be included in your terms of use, privacy policy and EULA, and you must have direct notice to parents combined with verifiable parental consent.

Moreover, COPPA, like many statutes covering technology law, is periodically amended. For example, on July 1, 2017, COPPA was amended to take into account the increase in online data collection, behavioral marketing and the use of mobile devices.


Another consideration is whether or not your website and/or app is compliant with Title III of the Americans With Disabilities Act (ADA). The key question here is whether or not a website or app constitutes a “place of public accommodation” under the ADA. While courts are divided on this question, it has not deterred plaintiffs’ lawyers from filing a plethora of class action lawsuits around the country for the failure to comply with the ADA.

Adding to the confusion is the fact that the Department of Justice just this summer placed its plans to issue regulations under Title II of the ADA on an inactive list. The DOJ had previously kicked the target date for these regulations to 2018, but at the same time indicated that it would not hesitate bringing actions against websites and apps for violations of the ADA. So make sure that you discuss this issue with your lawyer, lest you become a defendant in a class action lawsuit.


Will you be accepting credit cards or debit cards? If so, then you must be in compliance with the Payment Card Industry Data Security Standard (PCI DS), which sets forth the minimum data protection measures required of all entities accepting credit cards. Compliance is predicated upon how you process card transactions. Since the Payment Card Industry Security Standards Council regularly releases updated versions of its data security standard, make sure that you are in compliance with the current standard.

State Statutes

Of course, this does not even touch upon the various state statutes that might be applicable to your website and/or app. One example of this is California’s Automatic Renewal Law (ARL). If you will have any users in California and will also have an arrangement where a paid subscription or purchasing agreement is automatically renewed until the users cancels, then you better make sure that you comply with the requirements of the ARL. It has also been the subject of many class action lawsuits, especially due to its very generous damages provision.

Other state statutes to be aware of are the California Online Privacy Protection Act (CalOPPA), California’s Privacy Rights for California Minors in the Digital World (known as the “Eraser Law”), the Delaware Online Privacy and Protection Act (DOPPA), and, in the event your website and/or app has been hacked, the numerous state laws requiring disclosure.

EU Regulations

Moreover, in the event that you intend on having users outside of the U.S., you must be aware of the fact that much of the rest of the world, and especially the EU, treats PII very differently than the U.S. The EU provides much greater protection to PII than does the U.S. Therefore, you must become familiar with the General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. The GDPR will make drastic changes to how companies can collect and use personal data about web users in the EU. Even though it does not go into effect until May 2018, you should make sure now that you are compliant since the GDPR provides hefty penalties for noncompliance.

Additionally, after the EU safe harbor provision was declared invalid by the EU’s Court of Justice, it was replaced in July 2016 with the EU-US Privacy Shield. The Privacy Shield is one of the few ways by which personal data can be legally transferred from the EU to the U.S. The Privacy Shield is only available to U.S. companies and applies only to data transfers from the EU to the U.S.

The Takeaway

As you can see, when treading into e-commerce, make sure that one of the first persons that you contact is a lawyer experienced in technology law and e-commerce. The failure to do so could end up costing you greatly and ruin the experience for you.

Post a Job

About the author

Ira Bornstein

Ira Bornstein

I have a plethora of experience both as an accomplished commercial trial and appellate lawyer and as a general counsel and have been rated AV by Martindale-Hubbell for over two decades. I have handled complex commercial matters and litigation throughout the United States, having represented parties in matters in over a dozen states. Besides handling innumerable trials (both jury and bench), I have successfully argued before the Supreme Court of the United States, numerous federal Courts of Appeal, the Supreme Courts of the States of Colorado and Illinois, and several states' appellate courts. I have appeared before administrative agencies of the United States and have participated in mediations and arbitrations, both as a litigant and as a neutral.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
/* ]]> */