Most consumers pay little attention to the terms and conditions they agree to when downloading software, updating an app, visiting a website, or signing up for a social media platform or some other online venue.
Who knows what’s in all that legal jargon? Who has the time to decipher it? Does it really even matter?
While consumers remain somewhat “in the dark” (and perhaps understandably so) about exactly what they accept when they click the “agree” button, the companies that put forth those terms and conditions have no such luxury. Agreements work both ways, and as a party to so-called “user agreements,” companies need to know exactly what it is they are stating they will do or will not do, and they need to adhere to those terms. Not all do.
“As an experienced intellectual property lawyer and certified privacy professional, I get asked by clients and friends all the time about what options they have when accepting or not accepting terms and conditions like those they encounter on a website or when downloading a piece of software,” explains Eric Ludwig, whose California-based law firm specializes in intellectual property, business litigation, and information privacy matters around the globe. “Of course, their only real option is to agree or not agree. It’s not like there’s a negotiation.”
While the situation is a fairly cut-and-dry “yes/no” proposition for consumers, the stakes are higher for the companies behind those agreements. They need to be transparent about exactly what information they’re collecting from consumers and what they do with that information, including who they share it with, so users can make informed decisions about whether to use or not use their service, website, or app.
Companies that fail to disclose or that falsely disclose what they do with user data, or who fail to adhere to their own stated policies, can find themselves in legal hot water fast—with regulators, consumers, and with the courts. In essence, what a company says about its privacy policies in user agreements becomes an enforceable edict by which the company is bound.
For example, companies that deal with personal healthcare information, whether online, in-person, or both, must adhere to specific Health Insurance Portability and Accountability Act (HIPAA) requirements concerning how patient data is handled. In addition, these companies may also state their own privacy policies around access to, reporting, and manipulation of that data. If they do something with that data they say they will not do, whether it’s intentional or not, if it breaches their own privacy policies, regardless of whether it actually breaks a state or federal law, they can expect legal backlash from consumers for mishandling their data and possibly from other companies for engaging in unfair business practices.
“With the nature of the internet making it easier for companies to do business across state lines and even international borders, it’s very difficult these days for businesses who collect customer data not to run afoul of a few privacy laws without an expert on their team,” says Ludwig. “For most, even though it’s unintentional, it’s only a matter of time.”