So, you’re ready to attempt your first foray into e-commerce. Your attention may have been focused on the business aspects of your website and/or app, but have you given proper attention to the legal aspects?
The problem is that those documents mean nothing if your website and/or app are not properly designed. The reason for this is that your website and/or app must be set up so that a court will consider those documents to be binding contracts. How do you do that?
Browsewrap Versus Clickwrap
However, not all clickwrap agreements are upheld by the courts, just as not all browsewrap agreements are rejected. Ultimately, the design of your website will determine whether or not a clickwrap agreement (or even a browsewrap agreement) is enforced.
What are some of the statutes that are likely to be applicable to your business? If your website is going to host user-generated content, then make sure that you are compliant with the Digital Millennium Copyright Act (DMCA). Section 512(c) of the DMCA provides a safe harbor to online service providers by granting them immunity from monetary damages arising from claims of copyright infringement arising from content posted by your users. However, you must strictly comply with the requirements of the DMCA in order to gain the protection of its safe harbor provision.
Is your website and/or app directed to children under 13 and does it collect Personally Identifiable Information (PII) from children, or do you have actual knowledge that you are collecting PII from children?
Moreover, COPPA, like many statutes covering technology law, is periodically amended. For example, on July 1, 2017, COPPA was amended to take into account the increase in online data collection, behavioral marketing and the use of mobile devices.
Another consideration is whether or not your website and/or app is compliant with Title III of the Americans With Disabilities Act (ADA). The key question here is whether or not a website or app constitutes a “place of public accommodation” under the ADA. While courts are divided on this question, it has not deterred plaintiffs’ lawyers from filing a plethora of class action lawsuits around the country for the failure to comply with the ADA.
Adding to the confusion is the fact that the Department of Justice just this summer placed its plans to issue regulations under Title II of the ADA on an inactive list. The DOJ had previously kicked the target date for these regulations to 2018, but at the same time indicated that it would not hesitate bringing actions against websites and apps for violations of the ADA. So make sure that you discuss this issue with your lawyer, lest you become a defendant in a class action lawsuit.
Will you be accepting credit cards or debit cards? If so, then you must be in compliance with the Payment Card Industry Data Security Standard (PCI DS), which sets forth the minimum data protection measures required of all entities accepting credit cards. Compliance is predicated upon how you process card transactions. Since the Payment Card Industry Security Standards Council regularly releases updated versions of its data security standard, make sure that you are in compliance with the current standard.
Of course, this does not even touch upon the various state statutes that might be applicable to your website and/or app. One example of this is California’s Automatic Renewal Law (ARL). If you will have any users in California and will also have an arrangement where a paid subscription or purchasing agreement is automatically renewed until the users cancels, then you better make sure that you comply with the requirements of the ARL. It has also been the subject of many class action lawsuits, especially due to its very generous damages provision.
Other state statutes to be aware of are the California Online Privacy Protection Act (CalOPPA), California’s Privacy Rights for California Minors in the Digital World (known as the “Eraser Law”), the Delaware Online Privacy and Protection Act (DOPPA), and, in the event your website and/or app has been hacked, the numerous state laws requiring disclosure.
Moreover, in the event that you intend on having users outside of the U.S., you must be aware of the fact that much of the rest of the world, and especially the EU, treats PII very differently than the U.S. The EU provides much greater protection to PII than does the U.S. Therefore, you must become familiar with the General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. The GDPR will make drastic changes to how companies can collect and use personal data about web users in the EU. Even though it does not go into effect until May 2018, you should make sure now that you are compliant since the GDPR provides hefty penalties for noncompliance.
Additionally, after the EU safe harbor provision was declared invalid by the EU’s Court of Justice, it was replaced in July 2016 with the EU-US Privacy Shield. The Privacy Shield is one of the few ways by which personal data can be legally transferred from the EU to the U.S. The Privacy Shield is only available to U.S. companies and applies only to data transfers from the EU to the U.S.
As you can see, when treading into e-commerce, make sure that one of the first persons that you contact is a lawyer experienced in technology law and e-commerce. The failure to do so could end up costing you greatly and ruin the experience for you.