James Harrison - Legal Loopholes And Internet Black Holes The Terms And Conditions Of Being Online

Terms and Conditions of Being OnlineJune 9, 2009

James Harrison

2

Overview

• Off-line Rules• Online Transactions• Internet Sales Legislation • PIPEDA and Privacy• Security• Record Keeping• Hyperlinking• Retention of Data • Payment Cards

3

Off-Line Rules

• 4 Contractual Components:• Consideration• Intention to create legal relations• Offer• Acceptance

• These same components apply to the online world

4

Acceptance

• How does acceptance take place online?• exchange of emails• “I Accept”

• Electronic Commerce Act (Ontario):• “A legal requirement that information or a

document be in writing is satisfied by information or a document that is in electronic form if it is accessible so as to be usable for subsequent reference”

• United Nations Model Law on Electronic Commerce (1996)

5

Online Transactions

• Three main types of transactions in the world of electronic contracting:• shrink wrap – off the shelf software• click wrap – “I Agree”• browse wrap – terms and conditions located

on the web site• All three raise questions regarding assent• Courts have generally upheld the use of click

wrap agreements• Less so with browse wrap

6

Browse Wrap

• Satisfaction of Four Conditions:• The user is provided with adequate notice of

the existence of the proposed terms• The user has a meaningful opportunity to

review the terms• The user is provided with adequate notice

that taking a specified action (which may be use of the web site) manifests assent to the terms

• The user takes the action specified in the latter notice

7

Strategies in developing click-through agreements

• Opportunity to Review Terms• presenting the terms• place the means of assent at the end• provide sufficient opportunity to review

• Display of Terms• format and content must comply with applicable laws as to notice,

language, conspicuousness• consistency with other terms of website

• Acceptance or Rejection• clear choice to assent or reject and clear words• clear method – mouse click• consequences of assent or rejection• notice of consequences – by clicking yes, you acknowledge that

you have read…• Opportunity to Correct Errors• Keeping Records

• maintain records of transaction (document steps taken by client)• cannot inhibit the client’s ability to print or store record

8

Internet Sales and Consumer Protection Legislation

• Enacted in B.C., Alberta, Saskatchewan, Manitoba, Ontario and Nova Scotia

• Part of Consumer Protection Legislation• Ontario Consumer Protection Act, 2002

came into effect July 30, 2005• all consumer transactions if either the

consumer or the person dealing with the consumer is located in Ontario

• no business presence in Ontario required

9

Overview of Internet Sales Legislation

• Pre-contract Disclosure Requirements• Minimum Content Requirements for Online

Contracts• Delivery Obligations• Cancellation Rights• Fines and Penalties for Non-compliance

10

Pre-contract Disclosure Requirements

• Certain information must be disclosed to the consumer prior to entering contract:• the supplier’s name and, if different, the

name under which the supplier carries on business;

• the supplier’s business address and, if different, the supplier’s mailing address;

• the supplier’s telephone number and, if available, the supplier’s e-mail address and facsimile number;

11

Pre-contract Disclosure Requirements …continued

• a fair and accurate description of the goods and services being sold to the consumer, including any relevant technical or system specifications;

• an itemized list of the price of the goods or services being sold to the consumer and any associated costs payable by the consumer, including taxes and shipping charges;

12


• a description of any additional charges that may apply to the contract, such as customs duties and brokerage fees, whose amounts cannot reasonably be determined by the supplier;

• the total consideration payable by the consumer to the supplier under the contract or, where the goods or services are being purchased over time, the amount of the periodic payments under the contract;

• the currency in which amounts owing under the contract are payable;

• the terms, conditions and methods of payment; • the date when the goods are to be delivered or the

services are to begin, or both;

13


• the supplier’s delivery arrangements, including the identity of the shipper or carrier, the mode of transportation and the place of delivery;

• the supplier’s cancellation, return, exchange and refund policies, if any; and

• any other restrictions, limitations or conditions of purchase that may apply.

14


• Disclosure Information must be:

• “prominently displayed”;

• in a “clear and comprehensible” manner; and

• made accessible in a manner that ensures the consumer has accessed and is able to retain and print it.

15


• Use of links to provide required disclosure information is problematic.

• Tip: Printer friendly buttons.

16

Opportunity to Correct Errors

• Must provide consumer with an express opportunity:

• to accept or decline the contract; and

• to correct errors immediately before entering into it.

• Tip: “I Accept” buttons.

• Tip: Prompt consumer to review information and to correct errors.

17

Delivery Requirement

• Supplier must provide consumer with a copy of the contract within 15 days after the contract is entered into.

• Contract must include the disclosure information plus: • consumer’s name; and• date the contract was entered into.

18

Delivery Requirement …continued

• Alberta:• The Internet sales contract can be provided

to the consumer by:• e-mail; • facsimile; • regular mail;• any other manner that ensures that the

consumer has received the copy; or• “actively transmitted” to the consumer in a

manner that ensures the consumer is able to retain the copy.

19


• Nova Scotia, British Columbia, Ontario and Saskatchewan: • The Internet sales contract may be

delivered by:• e-mail;• facsimile;• regular mail; or• by any other manner by which the supplier can

prove that the consumer has received the copy.

20


• Ontario:

• Manner of delivery must ensure the consumer is able to retain, print and access the agreement for future reference.

• Calls into question the use of links to terms and conditions as method of delivery.

21

Cancellation Rights

• Not a “cooling off” period.

• More limited cancellation rights:• If supplier failed to disclose required

information or failed to provide express opportunity to accept or decline agreement or to correct errors, consumer may cancel Internet agreement at any time from date agreement is entered into until 7 days after consumer receives a copy of agreement;

22

Cancellation Rights …continued

• If supplier fails to provide consumer with a copy of agreement as required, consumer may cancel Internet agreement within 30 days after the date the agreement is entered into.

• Ontario: additional 30 day cancellation right if contract delivered does not contain required information.

23

Consequences of Cancellation

• Supplier must provide a refund within 15 days

(30 days in Manitoba) from the date of cancellation.

24

Fines and Penalties

• Ontario: • Individual - up to 2 years less a day in jail

and/or can be fined up to $50,000;

• Corporation - can be fined up to $250,000;

• Officer/Director – can also be found guilty if failed to take reasonable care to prevent the corporation from committing an offence.

25

Tips for Online Sales Practices

• Avoid use of links to provide required disclosure information.

• Provide summary screen that highlights all the required information, including details of their order.

• Provide consumers with the express opportunity to accept, decline or correct their order before it is processed.

• Provide printer-friendly buttons and expressly encourage consumer to print and keep copy of agreement.

26

Tips for Online Sales Practices …continued

• Upon processing an online sale, immediately send a confirmation e-mail which includes a copy of the contract.

• Avoid use of links to online agreement in confirmation e-mail.

• Arrange for the prompt delivery of goods or services or set specific realizable delivery dates which are communicated to the consumer both online and in the sales contract.

27

PIPEDA and Privacy

• The Personal Information Protection and Electronic Documents Act • Applies to the collection, use or disclosure

of personal information in the course of any commercial activity (as of January 2004)

28

Framework of PIPEDA

• Organizations must obtain consent (express or implied) prior to collecting, using or disclosing an individual’s personal information

• Information can only be used for purposes for which it was collected, and such purposes must be reasonable in the circumstances and must be disclosed to the individual prior to or at the time of collection

• If an organization intends to use the personal information for a secondary purpose, consent must be obtained

• Organizations should adopt security procedures• Individuals have a right to access their personal

information to ensure accuracy and to update

29

Personally-Identifiable Information

• “Personal Information” means information that identifies or can be used to identify, contact, or locate the person to whom that information pertains.

• Does not include the name, title or business address or telephone number of an employee of an organization.

• Sensitive Information – credit card number, social insurance number, most information about children, financial data, political information

30

Creating a Privacy Policy

• Notice/Knowledge – tell customers what you are collecting from them and how you are using it

• Choice/Consent – depending on the sensitivity and use of the information, offer clients the opportunity to opt in or out

• Security – keep information secure• safeguards need to be more stringent the more

sensitive the information• Review/Correction – you must give clients the

opportunity to review and correct information collected• Compliance – have internal compliance procedures in

place and appoint a privacy officer. Work to resolve client issues

31

Notice

• When must you give notice?• Any time an organization collects PII from an individual

(regardless of use to be made)• Five Elements of Notice

• Type of PII Collected – unless obvious, list what information is being collected (must disclose when cookies, bugs or bots are used)

• Use of PII – list uses to be made of information being collected – appropriate consent must be obtained

• Review and Correction – provide customers with an ability to review and correct data you have collected

• Contract – provide name and email address or phone number of contact person for any questions/concerns regarding privacy

• Link to Policy Statement – provide on home page and within text of notice

32

Additional Safeguards

• Only collect what you need• No external distribution• Offer opt out to sharing of information with

other organizations/businesses• Secure the information (encrypt credit card and

social insurance information)• Acquisitions of all PII data from other

organizations should be reviewed for restrictions on use

33

Hyperlinking

• when the transfer of data is part of a web linking agreement, the user should be given notice that they are exiting your site

• any site that is “framed” within your site (as in a co-branded site) should abide by privacy principles similar to your own

• If linking partner is promoting to the user, the partner must provide ability to opt out

• any cookies used by advertisers or linking partners should be mentioned in notice

34

Retention of Data

• PIPEDA • Organizations should develop guidelines and implement

procedures with respect to the retention of personal information• These guidelines should include minimum and maximum retention

periods • PII that has been used to make a decision about an individual shall

be retained long enough to allow the individual access to the information after the decision has been made

• PII that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous

• Charities’ Records• A Canadian registered charity must keep adequate duplicates of

receipts for at least two years from the end of the calendar year in which the donations were made

• Most other documents need to be kept for 6 years from the end of a fiscal year

35

Payment Card Industry Data Security Standard

• Alignment of card brand requirements into a single standard (2004)

• Administered by the PCI Security Standards Council and is intended to be a world-wide standard

• Widely used so is becoming a generally accepted standard by which security is measured

• Last updated October 1, 2008 (added some standards and combined standards with security and assessment procedures)

36

PCI Standards

• 12 broad requirements:

1. install and maintain a firewall configuration to protect cardholder data;

2. avoid using vendor-supplied defaults for system passwords and other security settings;

3. adopt measures to protect cardholder data;

4. use encryption of cardholder data across open networks;

37

PCI Standards

• 12 broad requirements:

5. use and update anti-virus software or services;

6. develop and maintain secure systems and applications;

7. restrict access to card-holder data by business need-to-know;

8. assign a unique ID to each person with computer access;

38

PCI Standards

• 12 broad requirements:9. restrict physical access to cardholder data;10. track and monitor access; 11. regularly test security systems and

processes; and 12. maintain information security policies for

employees and subcontractors.

• More detailed descriptions of required measures are included under each topic.

39

Questions/Comments?

40

Thank You

• Contact details:

James Harrison

Associate

Osler, Hoskin & Harcourt LLP

1 First Canadian Place, Suite 6600

Toronto, Ontario M5X 1B8

Tel: 416.862.4744 / Fax: 416.862.6666

[email protected]

James Harrison - Legal Loopholes And Internet Black Holes The Terms And Conditions Of Being Online

Education

consumer transactions

prompt consumer

browse wrap terms

proposed terms

terms of website acceptance

suppliers cancellation

suppliers business address

display of terms format