This principle—“If you proceed after having had an opportunity to review the terms, then you are contractually bound by them”—has given rise to a new contractual paradigm: online contracts that may be changed or completely rewritten at any time, without notice to the user. Courts have found such contracts to be valid, not because unilateral modifications to a contract are suddenly permissible, but rather because it is acceptable for an online contract to be valid only for a single visit to the website, requiring the user to check the terms and either proceed and accept or discontinue and reject them each time the user visits the site.2 It is considered good practice to prominently disclose the date of the most recent changes, highlight those changes, and make prior versions available online.
A newer and increasingly popular variation of the “proceed after having had an opportunity to review” principle is for companies to issue hard-copy form contracts, purchase orders and the like that do not have a full set of terms and conditions printed on them, but that instead incorporate by reference terms and conditions posted on the company’s website. The date of the signed paper contract determines which version of the posted terms and conditions applies. This approach has distinct advantages: Paper documents without pages of fine print are simpler and more attractive. The terms and conditions can be as complex as desired, and can be changed at any time without reprinting the forms. This type of hybrid agreement has been challenged on the ground that the terms and conditions are insufficiently conspicuous, but courts have had no trouble upholding such incorporations by reference, as long as the website where the provisions are located is clearly identified.3
Not a day seems to go by without some app coming up with a new way to capture and compile ever more information about us. Even if we were to shut off our computers and use landline phones, our friends are posting and tagging their photos of us, Google is photographing our houses from cars and satellites, and surveillance cams in stores are going “smart” to recognize our faces. Public information about such things as our properties, our job histories, schools we attended, who our friends are, once safely offline, has become “hyper-public.” Sooner or later information about even the most reclusive hermit will be available on the web, complete with biometric identification. Realtime online facial recognition systems are becoming so accurate that it is only a matter of time before a person walking down the street will be able to identify everyone who passes by—where they live and work, who their friends are, what their interests are, how much education they have, and whether they have criminal records. One big-city police chief, after discovering that every officer in his department under age 30 had a Facebook account, wondered how anyone would be able to do undercover work in the future.4
The Internet has affected our notion of privacy in many ways, one of which involves the ability to express our views anonymously. James Madison, Alexander Hamilton and John Jay wrote the Federalist Papers using a pseudonym. Two-hundred years later, the Ohio legislature tried to ban anonymous political literature. The U.S. Supreme Court struck down the law, stating: “The right to remain anonymous may be abused when it shields fraudulent conduct. But … in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”5
Although online privacy is normally a matter of contract, some violations of online privacy occur outside of any contractual relationship. These include spamming, hacking into someone else’s computer, accessing someone else’s email account without permission, logging into an employer’s computer system after one has left the company, stealing a laptop with confidential medical data, and “phishing” (attempting identity theft by putting up a fake merchant website and hoping people will provide personal information). Numerous federal and state laws cover such issues. Examples include the Electronic Communications Privacy Act, which prohibits unauthorized access to any computer, the Computer Fraud and Abuse Act (CFAA), which makes it illegal to access a “protected computer without authorization, or exceeding authorized access,” and the federal CAN-SPAM Act, which does not ban unsolicited commercial email, but requires that every such email provide an ability to opt out. Most states, including Ohio, also have data breach notification laws, which require companies that maintain individuals’ private information to notify those individuals in the event of a privacy breach.6
Commercial websites collect and analyze large amounts of data about their customers as well as mere visitors, and generally that’s fine as long as they must disclose what types of data they collect and what they use it for. If they fail to do this, it could be costly. The Federal Trade Commission (FTC) actively pursues website operators that violate consumer privacy rights, or that mislead visitors by failing to maintain adequate security for sensitive consumer information; multimillion dollar fines and settlements are not rare. State attorneys general likewise enforce consumer protection laws in an online context.
Children under age 13 have an extra measure of privacy protection. The Children’s Online Privacy Protection Act (COPPA) prohibits the operator of any website that is “directed to children” or who knows that the website is collecting information from such children from doing so without parental consent.9 The phrase “directed to children” is not defined by statute or rule, but the FTC, which is responsible for enforcement of COPPA, seems to interpret it as meaning “directed primarily to children.” Although the FTC actively enforces COPPA as applied to true children’s sites, if a website attracts millions of visitors under age 13, as the site is not directed primarily to children it apparently will not risk FTC enforcement action.
Journalists have unique privacy needs. The First Amendment, while protecting freedom of the press, does not guarantee that journalists will never have to reveal their sources. Such privilege, if it is to exist at all, must be in the form of a statute. A large majority of states have some form of journalistic shield law that protects journalists from being required to reveal their sources. But who is a “journalist”? Individuals who are not constrained by any journalistic ethics, who never studied journalism, and who never worked for any news organization now flood social networks, reader comment forums, blogs and do-it-yourself websites with videos, photos, comments and descriptions of “fact.” Are such people “journalists”? With regard to the privacy afforded by shield laws, traditional journalists have the advantage over self-professed online journalists. To take advantage of a shield law, most states, including Ohio, require the person claiming shield law protection to be a “real” journalist, and not just a blogger. In fact, Ohio requires that not only must the person be a real journalist, but he or she must have been functioning as one at the time the source disclosed the confidential information.10
Employees who use the Internet at work generally understand that their employers may monitor their online communications. It is settled law that as long as the employees are informed that they have no expectation of privacy regarding such communications, the employer may monitor them. Nonetheless, some courts have held that notwithstanding employer policies, privileged communications—such as those with counsel or a spouse—remain privileged even when an employee uses a workplace computer to communicate.11 Ohio courts have not ruled on the issue.
Some people encrypt their files in the belief that they cannot be compelled to reveal their password—and they may be right. The U.S. Court of Appeals for the 11th Circuit recently ruled that a defendant who has been ordered to divulge a password may refuse and invoke the Fifth Amendment protection against self-incrimination.12
One other overarching legal issue regarding online privacy is known but seldom addressed. Notwithstanding any privileges or contractual protection, since 2001, numerous federal laws and executive orders have given government agencies the right to monitor any Internet traffic they wish, and have required Internet service providers and equipment manufacturers to build monitoring capabilities into their systems. Since the focus of such monitoring is national security rather than investigation and prosecution of criminal offenses, no individual has successfully claimed standing to challenge any such measures.13
Part two of this article will appear in the November/December issue.
Robert L. Ellis is a partner at the Columbus firm of Peterson, Ellis, Fergus & Peer LLP. His areas of practice include international and domestic commercial transactions, internet and technology law and intellectual property law. Ellis is a frequent speaker on topics related to the Internet, digital technology law, international private law, privacy law and legal ethics. His email address is email@example.com.
1 See, e.g. Snap-on Business Solutions Inc. v. O’Neil & Associates, Inc., 708 F.Supp.2d 669, 682 (N.D. Ohio 2010), and cases cited therein.
2 Peleg v. Niemen Marcus Group, Inc., 2012 WL 1297337 (Cal. App. Apr. 17, 2012). Compare Harris v. Blockbuster, Inc., 622 F.Supp.2d 396, which held invalid a “changes effective upon posting” clause that failed to state that such changes did not affect events or disputes arising prior to the posting.
3 One Beacon Insurance Co. v. Crowley Marine Services, Inc., 658 F.3d 258, 268; 2011 WL 3195292 (5th Cir.) (applying maritime law): “[I]nternet provisions clearly incorporated by reference into a purchase order, readily available on the identified internet site, and plainly and clearly set forth therein, are binding even where the party has not read them.” Oceanconnect.com, Inc. v. Chemoil Corporation, 2008 WL 194360,*11 (S.D. Tex.): “Here, it is beyond dispute that the confirmation and the receipt refer to [defendant’s] ‘terms and conditions.’ In addition, the confirmation explicitly states, ‘[p]lease contact us if you require a copy of the standard terms and conditions of sale of marine fuel by [defendant],’ and the terms were available on [defendant’s] website. For that reason, Plaintiff cannot claim that the terms and conditions were not made available to it.”
4 Hamish Barwick, “Social media could render covert policing ‘impossible’,” TechWorld, Aug. 25, 2011, www.computerworld.com.au/ article/398599/social_media_could_render_covert_policing_impossible_/.
5 McIntyre v. Ohio Elections Commission, 514 U.S. 334, 357, 115 S.Ct. 1511, 1524, 131 L.Ed.2d 426, 438 (1995).
6 18 U.S.C. §§2510-2522; 18 U.S.C. §1030; 18 U.S.C. §1030(a)(2), (a)(4), 5(A)(ii) and 5(A)(iii); 15 U.S.C. §7701; R.C. 1347.12 and 1349.19.
7 EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003); U.S. v. Drew, 259 F.R.D. 449, 461 (C.D. Cal. 2009).
8 United States v. Drew (indictment), No. CR08-00582-GW (C.D. Cal. May 15, 2008).
9 15 U.S.C. §§6501-6508.
10 R.C. 2739.04. See also Svoboda v. Clear Channel Communications, Inc., 2004-OH- 894, 805 N.E.2d 559 (Lucas Cty.).
11 Sims v. Lakeside School, 2007 WL 2745367 (W.D. Wash. Sept. 20, 2007).
12 In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, 2012 WL 579433 at *4 (11th Cir. Feb. 23, 2012).
13 See American Civil Liberties Union v. National Security Agency, 493 F.3d 644 (6th Cir. 2007).