The “new privacy”: Internet laws for a hyper-public world

By Robert L. Ellis

This is the first of a two-part article on Internet law. The second article will appear in the November/December issue.

The modern, commercial Internet has been around for a generation now: The switch of the Internet’s infrastructure from limited, academic use to full commercial use began in 1991, and was complete by 1995. Similarly, Internet law has had a generation to develop and mature. National and international laws regulating the Internet and its use have become sophisticated and surprisingly effective, particularly with regard to online contracts and privacy.

Online contracts

Notwithstanding many websites’ terms of use that claim otherwise, merely passively visiting a website does not contractually bind an Internet user to that website’s terms of use. What a passive visit can trigger, however, is the user’s consent to certain terms of access, such as the website’s right to monitor the user’s interaction with the site, place cookies, display graphic content or disclaim the accuracy of information.
Anything more than a passive look at a website may well contractually bind the user to the website’s terms of use, even if no money changes hands, and even if the user is not identified at the time. The user can be a minor, since contracts entered into by minors are not void, but merely voidable. No separate affirmative assent— such as clicking an “agree” button—is necessary. A user’s interaction with a website constitutes his or her “signature” to the terms of use if the intent-to-be-bound element is fulfilled. Courts generally find such intent where a link to the website’s terms of use is conspicuous. Users who interact with a website are bound by its terms, even if they do not bother to read them, as long as there is a conspicuous link to them.1
This principle—“If you proceed after having had an opportunity to review the terms, then you are contractually bound by them”—has given rise to a new contractual paradigm: online contracts that may be changed or completely rewritten at any time, without notice to the user. Courts have found such contracts to be valid, not because unilateral modifications to a contract are suddenly permissible, but rather because it is acceptable for an online contract to be valid only for a single visit to the website, requiring the user to check the terms and either proceed and accept or discontinue and reject them each time the user visits the site.2 It is considered good practice to prominently disclose the date of the most recent changes, highlight those changes, and make prior versions available online.
A newer and increasingly popular variation of the “proceed after having had an opportunity to review” principle is for companies to issue hard-copy form contracts, purchase orders and the like that do not have a full set of terms and conditions printed on them, but that instead incorporate by reference terms and conditions posted on the company’s website. The date of the signed paper contract determines which version of the posted terms and conditions applies. This approach has distinct advantages: Paper documents without pages of fine print are simpler and more attractive. The terms and conditions can be as complex as desired, and can be changed at any time without reprinting the forms. This type of hybrid agreement has been challenged on the ground that the terms and conditions are insufficiently conspicuous, but courts have had no trouble upholding such incorporations by reference, as long as the website where the provisions are located is clearly identified.3

Online privacy

Not a day seems to go by without some app coming up with a new way to capture and compile ever more information about us. Even if we were to shut off our computers and use landline phones, our friends are posting and tagging their photos of us, Google is photographing our houses from cars and satellites, and surveillance cams in stores are going “smart” to recognize our faces. Public information about such things as our properties, our job histories, schools we attended, who our friends are, once safely offline, has become “hyper-public.” Sooner or later information about even the most reclusive hermit will be available on the web, complete with biometric identification. Realtime online facial recognition systems are becoming so accurate that it is only a matter of time before a person walking down the street will be able to identify everyone who passes by—where they live and work, who their friends are, what their interests are, how much education they have, and whether they have criminal records. One big-city police chief, after discovering that every officer in his department under age 30 had a Facebook account, wondered how anyone would be able to do undercover work in the future.4

The Internet has affected our notion of privacy in many ways, one of which involves the ability to express our views anonymously. James Madison, Alexander Hamilton and John Jay wrote the Federalist Papers using a pseudonym. Two-hundred years later, the Ohio legislature tried to ban anonymous political literature. The U.S. Supreme Court struck down the law, stating: “The right to remain anonymous may be abused when it shields fraudulent conduct. But … in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”5

The right to express one’s views anonymously does not apply online. The First Amendment prohibits government from infringing the rights of free speech and free press, but the government is not in the business of providing Internet service. In an online context, privacy is not a right, but a matter of contract. Online companies can collect, compile, cross-index, disseminate, sell and generally use for commercial purposes whatever personal information they can acquire, with no time limits, as long as their terms of use say they can do so. Nonetheless, de facto online anonymity is commonplace. Many online forums permit users to log in and submit comments anonymously or pseudonymously, so the only practical means of identifying someone who makes a defamatory comment, infringes intellec- tual property rights, or engages in criminal activity would be to obtain the server logs of the forum host so as to check the IP address of that user, and then to contact the Internet service provider who provides online access to that IP address to try to find out who the user is. Online companies that collect private data about their customers jealously guard such information because it represents the lifeblood of their business. Many such companies will actively oppose any subpoena they consider to be over-reaching.

Although online privacy is normally a matter of contract, some violations of online privacy occur outside of any contractual relationship. These include spamming, hacking into someone else’s computer, accessing someone else’s email account without permission, logging into an employer’s computer system after one has left the company, stealing a laptop with confidential medical data, and “phishing” (attempting identity theft by putting up a fake merchant website and hoping people will provide personal information). Numerous federal and state laws cover such issues. Examples include the Electronic Communications Privacy Act, which prohibits unauthorized access to any computer, the Computer Fraud and Abuse Act (CFAA), which makes it illegal to access a “protected computer without authorization, or exceeding authorized access,” and the federal CAN-SPAM Act, which does not ban unsolicited commercial email, but requires that every such email provide an ability to opt out. Most states, including Ohio, also have data breach notification laws, which require companies that maintain individuals’ private information to notify those individuals in the event of a privacy breach.6

Because the CFAA makes it illegal to access a “protected computer without authorization, or exceeding authorized access,” the CFAA comes close to criminalizing violations of a website’s terms of use. The concept of “protected computer” has been interpreted to include a website, and a website owner can use its terms of use to spell out what is prohibited; i.e. what access is not authorized.7 In 2008 a federal criminal prosecution was initiated against a social network user who violated the site’s terms of service.8 The prosecution was based on the notion that a private company’s terms and conditions were in effect incorporated into the federal criminal code. The court held that such an interpretation could not survive constitutional challenges, and entered a judgment of acquittal notwithstanding conviction by a jury. The U.S. Department of Justice now takes the position that no further such prosecutions will be attempted.

Commercial websites collect and analyze large amounts of data about their customers as well as mere visitors, and generally that’s fine as long as they must disclose what types of data they collect and what they use it for. If they fail to do this, it could be costly. The Federal Trade Commission (FTC) actively pursues website operators that violate consumer privacy rights, or that mislead visitors by failing to maintain adequate security for sensitive consumer information; multimillion dollar fines and settlements are not rare. State attorneys general likewise enforce consumer protection laws in an online context.

Children under age 13 have an extra measure of privacy protection. The Children’s Online Privacy Protection Act (COPPA) prohibits the operator of any website that is “directed to children” or who knows that the website is collecting information from such children from doing so without parental consent.9 The phrase “directed to children” is not defined by statute or rule, but the FTC, which is responsible for enforcement of COPPA, seems to interpret it as meaning “directed primarily to children.” Although the FTC actively enforces COPPA as applied to true children’s sites, if a website attracts millions of visitors under age 13, as the site is not directed primarily to children it apparently will not risk FTC enforcement action.

Journalists have unique privacy needs. The First Amendment, while protecting freedom of the press, does not guarantee that journalists will never have to reveal their sources. Such privilege, if it is to exist at all, must be in the form of a statute. A large majority of states have some form of journalistic shield law that protects journalists from being required to reveal their sources. But who is a “journalist”? Individuals who are not constrained by any journalistic ethics, who never studied journalism, and who never worked for any news organization now flood social networks, reader comment forums, blogs and do-it-yourself websites with videos, photos, comments and descriptions of “fact.” Are such people “journalists”? With regard to the privacy afforded by shield laws, traditional journalists have the advantage over self-professed online journalists. To take advantage of a shield law, most states, including Ohio, require the person claiming shield law protection to be a “real” journalist, and not just a blogger. In fact, Ohio requires that not only must the person be a real journalist, but he or she must have been functioning as one at the time the source disclosed the confidential information.10

Employees who use the Internet at work generally understand that their employers may monitor their online communications. It is settled law that as long as the employees are informed that they have no expectation of privacy regarding such communications, the employer may monitor them. Nonetheless, some courts have held that notwithstanding employer policies, privileged communications—such as those with counsel or a spouse—remain privileged even when an employee uses a workplace computer to communicate.11 Ohio courts have not ruled on the issue.

Some people encrypt their files in the belief that they cannot be compelled to reveal their password—and they may be right. The U.S. Court of Appeals for the 11th Circuit recently ruled that a defendant who has been ordered to divulge a password may refuse and invoke the Fifth Amendment protection against self-incrimination.12

One other overarching legal issue regarding online privacy is known but seldom addressed. Notwithstanding any privileges or contractual protection, since 2001, numerous federal laws and executive orders have given government agencies the right to monitor any Internet traffic they wish, and have required Internet service providers and equipment manufacturers to build monitoring capabilities into their systems. Since the focus of such monitoring is national security rather than investigation and prosecution of criminal offenses, no individual has successfully claimed standing to challenge any such measures.13

Part two of this article will appear in the November/December issue.

Author bio
Robert L. Ellis is a partner at the Columbus firm of Peterson, Ellis, Fergus & Peer LLP. His areas of practice include international and domestic commercial transactions, internet and technology law and intellectual property law. Ellis is a frequent speaker on topics related to the Internet, digital technology law, international private law, privacy law and legal ethics. His email address is

1 See, e.g. Snap-on Business Solutions Inc. v. O’Neil & Associates, Inc., 708 F.Supp.2d 669, 682 (N.D. Ohio 2010), and cases cited therein.
2 Peleg v. Niemen Marcus Group, Inc., 2012 WL 1297337 (Cal. App. Apr. 17, 2012). Compare Harris v. Blockbuster, Inc., 622 F.Supp.2d 396, which held invalid a “changes effective upon posting” clause that failed to state that such changes did not affect events or disputes arising prior to the posting.
3 One Beacon Insurance Co. v. Crowley Marine Services, Inc., 658 F.3d 258, 268; 2011 WL 3195292 (5th Cir.) (applying maritime law): “[I]nternet provisions clearly incorporated by reference into a purchase order, readily available on the identified internet site, and plainly and clearly set forth therein, are binding even where the party has not read them.”, Inc. v. Chemoil Corporation, 2008 WL 194360,*11 (S.D. Tex.): “Here, it is beyond dispute that the confirmation and the receipt refer to [defendant’s] ‘terms and conditions.’ In addition, the confirmation explicitly states, ‘[p]lease contact us if you require a copy of the standard terms and conditions of sale of marine fuel by [defendant],’ and the terms were available on [defendant’s] website. For that reason, Plaintiff cannot claim that the terms and conditions were not made available to it.”
4 Hamish Barwick, “Social media could render covert policing ‘impossible’,” TechWorld, Aug. 25, 2011, article/398599/social_media_could_render_covert_policing_impossible_/.
5 McIntyre v. Ohio Elections Commission, 514 U.S. 334, 357, 115 S.Ct. 1511, 1524, 131 L.Ed.2d 426, 438 (1995).
6 18 U.S.C. §§2510-2522; 18 U.S.C. §1030; 18 U.S.C. §1030(a)(2), (a)(4), 5(A)(ii) and 5(A)(iii); 15 U.S.C. §7701; R.C. 1347.12 and 1349.19.
7 EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003); U.S. v. Drew, 259 F.R.D. 449, 461 (C.D. Cal. 2009).
8 United States v. Drew (indictment), No. CR08-00582-GW (C.D. Cal. May 15, 2008).
9 15 U.S.C. §§6501-6508.
10 R.C. 2739.04. See also Svoboda v. Clear Channel Communications, Inc., 2004-OH- 894, 805 N.E.2d 559 (Lucas Cty.).
11 Sims v. Lakeside School, 2007 WL 2745367 (W.D. Wash. Sept. 20, 2007).
12 In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, 2012 WL 579433 at *4 (11th Cir. Feb. 23, 2012).
13 See American Civil Liberties Union v. National Security Agency, 493 F.3d 644 (6th Cir. 2007).



Staff Directory

Contact Information


8 A.M. - 5 P.M.
Monday - Friday