With the year-end fast approaching, companies of all sizes should take the time to review their websites (including their hosted and SaaS platforms) and mobile applications, to ensure that they are staying up to date on latest legal developments, issues and impending risks. Below is a short list of just some issues to consider.
Privacy Policies and Notices
New – and complicated – privacy laws are coming into force at an unwavering rate. Businesses of every size must stay on top of these laws if they collect personal information of any kind. While some businesses may believe that they do not actually collect personal information, businesses must look further – starting with their online contact forms and the cookies dropped on their websites. Some organizations believe that they can avoid providing a privacy policy on their website because they only collect data in a business to business context, however that information is still considered personal information under privacy laws and consumers (and regulators) now expect to see a posted privacy policy or other indicator of practices. Businesses no longer have an excuse to ignore data privacy and security laws given the risks of violation of these varied laws. Companies must take stock, inventory both their online and offline data, and address how to handle such data in their privacy policies.
A privacy policy should be seen as a living document that changes over time according to new laws, guidance, cases and any changed or new data collection, usage or disclosure practices of a company. In fact, the California Consumer Privacy and Protection Act (“CCPA”) which will become effective on January 1, 2020 requires that a business covered by CCPA update its privacy policy at least annually. While last year companies scrambled to get their privacy policies and practices in order for the European Union’s General Data Protection Regulation (“GDPR”), now companies are struggling to comply with CCPA. Just as of October 1, 2019, Nevada’s amended statute went into effect to require website operators to have a privacy policy with certain disclosures. More states are quickly following suit, adding to the patchwork of United States privacy laws with which companies must comply.
Apple Terms
If you have a mobile application that is available on the iOS App Store, you must ensure that your terms of use or end user license agreement includes the minimum terms as mandated by Apple. Currently, Apple mandates 10 general flow down terms that mobile application providers must include. The terms range from specifying how the user may use the application, that the application developer alone is responsible for maintenance and support and product claims to making Apple a third party beneficiary entitled to enforce the terms of use or end user license agreement against the user.
As Apple may update its requirements from time to time, you should take care to review the requirements at least annually to update your terms of use or end user license agreement based on the latest Apple mandates. One would not want to run afoul of the Apple requirements, particularly if their mobile application gains success.
Class Action Waivers
Class action plaintiff attorneys have created specialized firms that target businesses under various laws, ranging from the Americans with Disabilities Act (ADA) to product liability and employment matters. After January 1, 2020, we expect to see more class actions in the privacy and security arena, particularly under the CCPA.
Under the CCPA, if a business suffers a security incident that is attributable to failure to maintain reasonable security measures, statutory damages can range from $100 to $750 per consumer per incident, or actual damages, whichever is more. These damages can quickly add up: one incident affecting just 30,000 individuals may result in damages of at least $22 million. Although the language of the CCPA seemingly precludes terms that would result in a consumer waiving their rights to bring a class action suit, a class action waiver could be a saving grace for businesses facing these types of suits. Indeed the Federal Arbitration Act may allow for the enforceability of class action waivers. Businesses must ensure that any arbitration agreement and class action waiver contained in its terms of use/service is valid and enforceable.
Accessibility
When you think of a “public accommodation” that must be accessible to those with disabilities, you may think of a library or a restaurant rather than a website. However, there has been an upward trend of cases involving accessibility of websites that purportedly violate Title III of the ADA, which prohibits discrimination on the basis of disability in “places of public accommodation.” 42 U.S.C. § 12182(a). Courts have been split regarding whether or not websites are a place of public accommodation, and therefore must be accessible to those with disabilities. As noted above, class action plaintiffs’ counsel now send letters and file numerous suits against companies based on their website, making the class action waivers even more important.
The California Attorney General’s proposed regulations to the CCPA presents a crossover requirement that a business’s privacy notice be “accessible to consumers with disabilities.” Indeed, many companies now seem to sincerely desire to ensure their websites are available to a broad audience and an industry has cropped up with vendors that provide accessibility services. Additionally, several sources detail accessibility methods, including the World Wide Web Consortium (W3C) at https://www.w3.org/standards/webdesign/accessibilityW3C Web and certain programs at Berkeley and Stanford.
Once you get your website and mobile application in order, language can be included to indicate to those with disabilities that your site is accessible.
If it is not already apparent, tackling these issues and getting your website and mobile applications in order takes time. But, the time is an investment in preventing future liability.