Incorporating Online Terms By Reference: Avoid the Common Mistakes

Terms of Service agreements are used to outline the legal relationship between a party providing a service and a party receiving or using a service. The Terms typically include contractual components such as definitions, rights and responsibilities, and representations and warranties. Service providers may offer Terms of Service in several ways, including by paper, by attachment to an order form, or during the process of “click through” ordering, either on a website or mobile application. Additionally, service providers are increasingly providing their Terms of Service online, and incorporating them into contracts and order forms by reference.


Benefits of Incorporating Online Terms of Service By Reference

Incorporating Terms of Service by reference can provide several advantages over traditional methods. First, incorporating online terms significantly reduces the amount of physical paper used by both parties. Reducing paper consumption and waste is not only an increasingly popular initiative for companies concerned about the environment, it can also increase efficiency and reduce costs.

Second, incorporation by reference allows companies to establish uniformity across all of their contractual agreements. Service providers often contract with hundreds or thousands of customers, and the more consistency those agreements have, the less time and effort is required to track, analyze, and report the company’s legal exposure.

Another valuable benefit is the ease with which a company can rollout updates to its standard Terms of Service. By incorporating Terms by reference, a company can simply update the agreement online and it will subsequently apply to all contractual provisions that incorporate those terms (assuming the incorporation language is worded correctly, as discussed below). This method of updating standard terms by one upload can save massive amounts of time as compared to the alternative: sending the updated terms individually to every customer.

Lastly, providing terms online offers customers a valuable, easy-to-access portal to the contractual agreement. Customers can certainly retain their own copies, but online availability can provide a quicker, easier resource than clunky contract retention systems.


Are Incorporated Terms Enforceable?

While the digitization of traditional business practices is nothing new, incorporating online terms into purchase orders is a relatively recent development. Yet courts at both the federal and state levels have held such incorporated terms enforceable, and several courts note that failing to inquire about incorporated terms is no defense. Where courts have found terms unenforceable, the incorporating language did not make clear that the online terms were binding.

Additionally, all U.S. states but Washington and Georgia have adopted the Uniform Electronic Transactions Act of 1999 (“UETA”), which states, “a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.” However, under the UETA, the electronic records must also be “capable of retention by the recipient.”

Another issue is the enforceability of updates to the incorporated terms. While few courts have considered the issue, generally it appears courts will uphold updates as enforceable when the party to be bound was made aware that updates could occur, even if the party is not provided notice of the actual update. In Briceno v. Sprint Spectrum, L.P., a Florida appellate court held a customer was bound by updated terms because the invoice noted that the terms could be periodically updated.


Best Practices for Incorporating Online Terms

To ensure enforceability, companies should not simply state the location to find additional terms. Companies must state the binding nature of the terms in clear, specific, and conspicuous language (e.g., “Parties agree to be bound by the terms of this order form as well as ACME’s Service Terms found at”).

Additionally, companies must be sure to provide incorporated terms on an easily accessible website. Companies should not use barriers like login requirements or other security measures that make it difficult for the counterparty to copy, download, or print the terms.

Even if enforceable, companies should consider the best way to apply updated terms to their contracts. Some companies do not have long-term agreements with their customers, and each purchase order constitutes a new contract. For these types of relationships, it likely makes sense for updated terms to apply immediately to any new purchase orders.

Other companies maintain existing contractual agreements with their customers, and each purchase order may simply constitute a means for the customer to request goods, or to periodically change business terms, such as upgrades to the number of subscriptions or users, within the overarching framework of a master agreement. For these companies, it may be contrary to their customers’ expectations if, for example, a simple user upgrade suddenly binds them to an entirely new and different set of terms than had previously governed the relationship. Additionally, for these customers, having different subsets of users bound to different terms may unnecessarily complicate the contractual situation rather than streamlining it.

Lastly, companies should consider whether it’s even desirable for standard terms to apply to all of their customers. If customers are situated in a variety of international jurisdictions, or if customers have widely divergent needs, it may be advisable to tailor contractual terms to the different customer bases.


Entity Selection for Startups: A Tax Perspective

The entity classification regulations under Internal Revenue Code section 7701, otherwise known as “check-the-box” regulations, allow startups to choose their classification for Federal tax purposes. Although the filing process itself is extremely simple (one simply checks the appropriate box, dates, signs, and submits the form), the tax implications of the choice of entity can be extremely significant.

This article will assist startups in choosing an entity by comparing and contrasting the tax implications of organizing as a C corporation, S corporation, or limited liability company (“LLC”). Sole proprietorships and partnerships will not be covered in this article as they do not provide full limited liability to owners, and other entities better meet the needs of most startups.


Startups that Expect Venture Capital Funding or Expect to do an IPO

The most significant tax feature of a C corporation is that it is taxed twice: first, the corporation is taxed on its net income, and then shareholders are taxed when they receive dividends. Though double taxation is unappealing, the first taxation layer prevents the corporation’s income from “flowing-through” to shareholders, which is why C corporations are the investment entity of choice for venture capital firms. Most venture capital firms raise money from tax-exempt entities, and if the firm invests money in a flow-through entity—such as an S corporation or LLC—then its tax-exempt investors would receive disadvantaged tax treatment.

If a startup plans on issuing shares through an initial public offering (“IPO”), then it should incorporate as a C corporation, as opposed to other corporate forms. An S corporation is unsuitable for an IPO because it cannot have more than 100 shareholders. LLCs are byproducts of state law, and thus it is extremely difficult to do an IPO of an LLC. Unlike a C corporation, which has unlimited life and free transferability, there is a risk that a LLC will dissolve when a member dies. Some states require all LLCs to dissolve after a set period of time. Furthermore, even if a LLC manages to become publicly traded, it will lose its status as a flow-through entity and lose it tax advantages.

In addition, if ownership interests in the startup will be provided to employees, tax law gives favorable tax treatment to incentive stock options (ISOs) granted by a corporation. An ISO holder does not have to pay taxes on the value of the stock options when she receives the options; the holder incurs tax liability only when the shares are sold. At the time of sale, the recognized gain is taxed at the long-term capital gains rate, which is more favorable than the ordinary income tax rate.

Thus, if the startup expects to receive funding from venture capital firms or do an IPO, then incorporating as a C corporation is the clear choice. However, choosing an entity becomes less straightforward in cases where venture capital funding or an IPO is not expected.


Startups that Expect to Initially Operate at a Loss or Distribute Current Earnings

As discussed above, S corporations and LLCs do not pay corporate tax because it passes income directly to its owners and investors. Because current earnings are taxed as ordinary income, startups intending to distribute current earnings and profits to their owners would avoid double taxation by organizing as a flow-through entity. On the other hand, if a startup expects to initially operate at a loss, then its owners will be able to deduct losses from their individual taxable income.

If a C corporation distributes current earnings, the amount cannot be deducted by the corporation except as salary (or other reasonable compensation) to shareholders who are also employees of the company. Thus, startups that expect to operate at a loss initially or to distribute current earnings should not incorporate as a C corporation. Instead, they should organize as a flow-through entity.

For startups that seek to build long-term value by accumulating or reinvesting earnings, other factors become more important. But in this case, since stock held for more than one year is taxed at the long-term capital gain rate—which is lower than the ordinary income rate—incorporating as a C corporation should be considered. Moreover, if a C corporation that qualifies as a small business corporation holds stock for more than 5 years, it will likely cut its capital gains tax rate in half.

As mentioned above, in certain cases there are tax benefits in organizing as a flow-through entity. Next, we will examine the implications of organizing as an S corporation versus an LLC.


Incorporating as an S Corporation vs. a LLC

As flow-through entities, S corporations and LLCs enjoy similar tax benefits. Neither pays corporate tax on earnings, and owners in both can deduct losses from individual tax returns. There are important differences, however, in ownership and formalities.

The IRS subjects S corporations to more restrictive ownership regulations than LLCs. First, S corporations can have no more than 100 shareholders, can only have one class of stock, and may not have non-U.S. citizens or residents as shareholders. Also, S corporations can only have one kind of shareholder: individuals. This limits startups that would otherwise consider raising capital from institutional investors. Comparatively, an LLC is unrestricted in the number of its members, can have foreign members, multiple classes of stock, and institutional investors as members. Therefore, LLCs are much less restricted in its ownership regulations. Additionally, LLCs can be incorporated tax-free for even more flexibility. For instance, after its owners and investors have deducted the initial startup losses, the LLC can incorporate in order to obtain funding from a venture capital fund.

Moreover, S corporations are corporations—which mean they must adopt bylaws, issue stock, hold initial and annual director and shareholder meetings, and keep meeting minutes with corporate records. LLCs, on the other hand, are not required to take any of these steps, although they are recommended.

Generally, because LLCs are flexible, require minimal formalities, and are easy to set up, any startup looking to establish itself as a flow-through entity should probably organize as an LLC,



Incorporating as a C corporation is recommended for startups that expect to receive venture capital funding or do an initial public offering. This explains the wide prevalence of C corporations on the West Coast, where venture capital funding is abundant. On the other hand, organizing as an LLC is recommended when startups expect to operate at a loss initially or distribute current earnings. Although S corporations are also flow-through entities, LLCs are generally better suited to startups because of the ownership restrictions and additional formation requirements for S corporations.


The Dangers of Copying Terms of Service and How to Avoid Them

It might be tempting to copy the Terms of Use from another website, but should you? Attribution: Cathy Olson.

It might be tempting to copy the Terms of Use from another website, but should you? Attribution: Cathy Olson.

Facebook has 1.55 billion users, and each of them has a contract with the company. At their scale, there are few documents more important than their Terms of Service (ToS). Understandably, many Internet entrepreneurs are and should be concerned about this critical part of their business, even if they don’t have the same reach as the Facebooks of the world. Unfortunately, many resort to simply reproducing an existing ToS from a comparable company, but such copying can be risky, in addition to painting companies as cheap knock-offs of their competitors.

Sometimes, another company’s ToS will be very attractive because it contains specific provisions that are relevant to your company as well. If you’ve built an application that tracks your users’ location, then it will be very tempting to copy Uber’s ToS, for example (or large parts of it). But would doing that be in the best interest of your company? Further, would it even be lawful?

Leaving You Vulnerable

The most significant downside of copying a ToS is that it will not contain the provisions tailored to your particular business. If a user or customer were to take legal action against your company, you would be missing the language that could make all the difference in settling or winning the dispute.

Competitors may be using a surprisingly different process to provide similar services. For example, if you’re providing a service based on wireless communication protocols, your competitor might be operating with a different technology, and the provisions of their ToS will very likely reflect that. There might be clauses arising specifically from the technology used, such as the reliability of connectivity, say over the RFID protocol (radio-frequency identification), that are irrelevant to your company, which might be using the NFC protocol (near-field communication). If for whatever reason a dispute arises that implicates the reliability clause, having a custom-tailored ToS is essential.

Governing Law

A ToS can in fact be protected by copyright, and entrepreneurs and their lawyers should take heed. At least one court has found a company liable for copyright infringement when they have copied important sections of public-facing contracts used by competitors.  In AFLAC of Columbus v. Assurant, Inc. et al (2006), a federal district court in Atlanta found that the non-boilerplate sections of AFLAC’s insurance policies were protected by copyright, and that competitors in the insurance market would be liable for infringement if a court found substantial copying. Since an insurance policy is a contract like any other, the same logic would hold for a ToS.

It may come as a surprise, since any practicing lawyer knows that the building blocks of most contracts are copied from others, but contracts that are sufficiently original and creative may be entitled to copyright protection. Accordingly, a contract containing many commonly used provisions can still be protected by copyright because the particular arrangement of provisions could constitute an “original” (and thus copyrighted) compilation.

Practical Risks

The risk of being sued for copyright infringement is small. However, there is a non-legal risk of others viewing the product or service as derivative and unoriginal, making competitors look like the first-mover and innovator in the relevant market. This is especially true for more sophisticated readers of the agreement, such as strategic customers or investors, who may look at the ToS more closely. This obviously doesn’t apply to the standard boilerplate provisions that can be found in almost all contracts, such as a force majeure clause, but in the areas of the Terms that are unique to that particular business, it will look bad.

Open Source Contracts

On the other hand, some companies have generously made their ToS available for the public to use, so long as they provide attribution. Automattic, the company behind the popular, recently open sourced their ToS (in the spirit of their own open source software). They’ve made it available under a Creative Commons Sharealike license, which enables others to copy and repurpose the document so long as internal references are relabeled and attribution is given to

In conclusion, if you’re tempted to copy another company’s ToS, you may be infringing on their copyright if you take provisions that are unique or distinct from industry custom. If instead you copy just boilerplate or commonly accepted industry provisions, you should be in the clear.

The question then is, if you’re a lawyer, or even an entrepreneur who’s not afraid to draft a ToS, how should you draft solid language that is not a direct rip-off of your competitor’s? See Part 2 of our ToS series to find out!

Part 2: Drafting a Unique and Effective Terms of Service

Lawyers have an ethical obligation to provide fundamentally sound legal advice to their clients. This advice often includes work product that is memorialized, and in the case of a ToS, publicly displayed. This presents an interesting issue: How can the new ToS be distinguished from the original without sacrificing the client’s objective of superior work product? The original document  might be legally sound, comprehensive, well-organized, and narrowly tailored to your market. Yet, completely plagiarizing an existing document has ethical implications, as well as the issue of outside perception mentioned above.

To that end, it’s advisable to start with a series of strong sample documents from sources like CooleyGo, UpCounsel, or Docracy. These are released into the public domain and thus present no copyright concerns.

One process used at our Clinic allows practitioners to create effective ToS documents without plagiarizing. You begin by finding several samples. We found it helpful to begin with documents from the most successful technology companies. By comparing the ToS’s of Apple, Facebook, Google, Uber, and others, we were able to more readily identify boilerplate language common to software and Internet companies. We were able to identify how these companies dealt with specific risks, like server failure, data breach, and personal injury.

Armed with the knowledge of how the biggest and best tech companies minimize risk, we then looked for smaller companies that were in the same field as our clients and had more relevant language to reference. We identified the sections of these ToS’s that were not boilerplate and we stripped them of their legalese. Once we had a version in entirely laymen’s terms, we then translated back to legalese using our own verbiage and adding our own relevant language. This created an authentic ToS that was tailored perfectly to our client’s business.

Other Information

For other information on this topic:


A Primer on Privacy

The Public Trial of Samsung’s SmartTV

In early February 2015, Shane Harris at the Daily Beast reported on a provision in the Samsung’s Privacy Policy:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

This clause sparked outrage, and comparisons to Big Brother in George Orwell’s 1984, online:

“Samsung’s Smart TV privacy policy sounds like an Orwellian nightmare” – The Verge

“Careful what you say around your TV. It may be listening. And blabbing.” – The Daily Beast

“Left: Samsung SmartTV privacy policy, warning users not to discuss personal info in front of their TV Right: 1984” – Parker HigginsEFF Activist (as shown in the above image)

Samsung was forced to act quickly. By amending its policy for clarity and revealing more about how the system works in a blog post titled “Samsung Smart TVs Do Not Monitor Living Room Conversations,“ the company attempted to stem the tide of complaints from privacy and consumer advocates. The voice recognition system would only be triggered by the user pressing a button on their television remote or the user stating one of the several predetermined commands. In the latter event, voice data is apparently not transmitted. Samsung also identified who the third party would be, Nuance Communications, Inc. Additionally, they guaranteed that it would be possible opt out of the voice recognition system entirely.

While the system Samsung described isn’t particularly novel, and likely doesn’t reveal anything secret, it did initially provoke some visceral reactions. The internet storm surrounding the policy started conversations, yet again, about the privacy practices of services and companies we engage with every day. For the entrepreneur, it should serve as a reminder and incentive to develop your policies early, review them often, and ensure compliance with your own polices. This post will serve as a primer on the essentials of privacy policies.

Privacy Policy Basics

 What is a privacy policy?

A privacy policy is a document that describes to users of your service, usually a website or mobile app, the data you will be collecting, how it will be collected, and how you will be using it. Depending on the nature of your website this data could range from usernames, email addresses, and very limited browsing information stored in a cookie to highly sensitive personal information such as credit card numbers, health records, personal names, and addresses. A privacy policy will typically discuss your intentions for the data and how it is stored and transferred securely. If you intend to process some information about your users for directed advertising, or sell user information directly, you should disclose information relating to what data is shared, what kinds of third parties (meaning companies the interaction with which the user will have no control over or possibly knowledge of) will be handling the data and how the data is secured.

Why do you need one?

In the US, there is no general federal requirement that a service provides a privacy policy. Instead it is a patchwork of statutes that cover services targeted to children (COPPA), financial services and banks (FCRA), and health-care providers (HIPAA), among others. However, some states have taken it upon themselves to mandate this kind of disclosure. Specifically, California requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.” This may include posting the policy directly on your web site homepage, or linking to it using the word Privacy. Here is a more in-depth explanation.

Many countries and regions have created their own standards and regulations. The European Union has highly developed privacy law and has a set of principles endorsed through a directive: transparency, legitimate purpose, and proportionality. While the US government has created a program for US companies to comply with these principles, any company specifically planning to do business in Europe or collect data from individuals from the European Union should exercise great care. (For the curious, the summary article on Wikipedia is a quick introduction).

In the US, the Federal Trade Commission is responsible for regulating business practices and has the potential to issue fines for unfair practices. Failure to adhere to your own policies can be such a practice. The company facing liability may have acted deliberately, or may simply have inadvertently given access to an untrustworthy outside party.

Consumers are beginning to pay attention to privacy and security. As demonstrated by the Samsung debacle, a company that is clear, concise, and open with their privacy policies may have a leg up in organically growing goodwill while a company that is deceitful, deliberately confusing, or formalistic in their policies risks at best embarrassment and possibly outrage or loss of customers.

Lastly, if you plan to publish a mobile app, Apple, Google, and Microsoft may require a privacy policy accessible from your app or the respective store.

How do you write one and what should you be thinking about?

It is likely not wise to rely solely on a free privacy policy generator (easily found through an internet search). At the bare minimum, you should be highly critical of anything generated without an in-depth analysis of your business needs and practices. While writing your company’s privacy, you will want to consider:

1) What information are you collecting? What do you need?

Are you collecting everything just in case it becomes useful? Are you processing payment information or health information? Is your service covered by COPPA, or another special federal regulation? Are user interactions with the website tracked and logged?

Specifically identify the types of information collected.

2) How are you going to use and protect the data?

Are you recording information to improve usability and meeting consumer demand? Do you plan on generating revenue through targeted advertising? Is the information securely stored on servers you maintain or through another provider? Will the data be sent to outside companies and if so, what do their policies look like?

You don’t need to reveal secrets about your company’ strategy, and obviously you shouldn’t give away anything sensitive about your data security policies, but make sure your customers know their information is safe.

3) Are there chances that your uses will evolve?

This is where knowledge of your business plans becomes important. Are you engaging in a high growth model, with revenue to come later? Is it foreseeable that you may need to open up your data collection to another party for auditing purposes? How much control will you be giving to your users regarding storage of their information?  Even if you later revise your policy, you might need users to affirmatively opt-in to the revised policy in order for it to cover data collected under the prior policy.

4) How do you plan to notify your users of changes?

By being open (or even collaborative) with your users, you can quickly foster a sense of community and trust. In the alternative, by alerting them to updates to your policy or describing what was changed and why you can keep control over your terms without being seen as having an ulterior motive. It is important to designate the date your policy becomes effective for the initial version and each update.

5) How advanced will your user base be?

In some cases it may be preferable to provide an additional slimmed down version of your policy that explains your behavior in simpler terms. This could also be accomplished through creative uses of formatting and headings. There are a variety of approaches to this ranging from a basic approach to a sophisticated summary of terms.




Application of HITECH and HIPAA to Healthcare Startups


When working with a startup with a technology in the healthcare space, attorneys should be aware that there are new rules and regulations that can have a major impact on how the product should be built and sold to customers.

The HITECH Act revises the definition of a “business associate” so as to require a company to follow HIPAA regulations if it “creates, receives, maintains, or transmits Protected Health Information (PHI), or “maintains” PHI on behalf of a covered entity (hospital/other providers), or if it is any subcontractor of that entity who will have access to PHI.

Steps to Mitigate Risk:

One way to help your client avoid HIPAA liability is to simply de-identify all health information.  This is of course one method to make PHI unusable, unreadable, or indecipherable to unauthorized individuals, and once PHI has been de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and, therefore, no longer subject to the HIPAA Privacy and Security Rules.  The Standard for De-Identification is § 164.514(a).  Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is not individually identifiable health information.  There are two ways to ensure that health information has been de-identified, one using an expert determination under 164.514(b)(1) and one through satisfying the requirements of the Safe Harbor enumerated under §164.514(b)(2).  In the startup world, cost of an expert determination makes the Safe Harbor the better option if de-identification is a possibility at all.  Of course with many profile-based software, de-identification may become a serious hurdle to overcome in software design.  Consulting your clients about the benefits of building the technology without such identifying information would of course ease the requirements of complying with HIPAA requirements.

Another way to mitigate potential HIPAA liability is to follow the HIPAA encryption guidelines.  As rulemaking following the HITECH act iterates, “While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by §13402 in the event of a breach.”

Encryption works to make PHI unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

If the Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. Certain encryption processes have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.


Understanding how HIPAA privacy regulations may now apply to startup clients entering the healthcare IT software space is essential to limit your client’s potential liability.  One option to deal with this risk is to suggest complete de-identification of information through the satisfaction of the Safe Harbor requirements or through an expert determination. The other option is to point your client to the functional encryption safe harbors as tested by the National Institute of Standards and Technology.  Furthermore, the earlier along in the process clients become aware of these requirements, and how they can mitigate risk, the more easily clients may be able to adjust the design of their technology to ease the burden of compliance.


New California “Do Not Track” Privacy Policy Requirements

Do Not Track ImageThe use of tracking software by websites is widespread. Advertising companies and social networks use technology such as cookies to track the websites consumers visit and the route they take from one website to another. For instance, tracking technology can tell the difference between whether you got to a website through a Google search or by clicking on a hyperlink in a news article. Companies can then use this information to build a profile on individuals in order to target advertising on different websites that they visit. Advertising companies are then able to discriminate to different consumers based on the profiles the companies build. Additionally, advertising companies are able to make money by selling these valuable profiles to websites.

The use of this type of tracking software is, as probably expected, controversial. Privacy advocates believe this tracking to be an invasion into web users’ privacy and that the companies doing this tracking fail to adequately disclose the full extent to which this tracking is taking place. These advocates are also concerned with the extent of information tracked, which can include highly sensitive and personal data about health issues, location, and finances. On the other hand, advertisers and companies using the data love the technology because it allows companies to target consumers more accurately and allows advertisers to charge more for better data. This data can be particularly valuable for startups looking to increase the number of users and grow their web presence.

As a result of these concerns, privacy advocates have taken some steps to try and remedy these concerns. Software developers have designed software to try and prevent websites from tracking user activity across the web. The technology works by placing a signal on the users computer that tells websites the user does not want to be tracked. This signal is currently ineffective because there is no requirement that advertisers follow the signal. The World Wide Web Consortium (W3C), an organization that sets standards for the web, created a working group composed of privacy activists, advertisers and others, to try and develop a standard approach to “Do Not Track” signals. In September 2013, however, the effort ended in failure when the constituent parties could not agree on an approach and decided to disband.

Despite the failure of the W3C efforts, once again California leads the way in regulating and shaping regulation of online privacy, this time as it applies to “Do Not Track” signals. California has taken an assertive stance in developing regulations concerning online privacy by passing the Online Privacy Protection Act (CalOPPA) and establishing the Office of Privacy Protection as part the California Department of Justice. Given California’s large and tech-savvy population it is incredibly important for startups to keep apprised of and comply with California privacy regulations as they will almost certainly be operating in the state. In October 2013, Governor Jerry Brown signed into law an amendment to CalOPPA that regulates the use of Do Not Track signals by websites operating within the state. The new amendment is applicable to websites that collect “personally identifiable information” which includes things like name, address, email address, telephone number, or other identifiers that allow the website to contact the user and went into effect January 1, 2014. Rather than requiring that websites comply with Do Not Track signals, the law now requires that websites describe in their privacy policy how they react to “Do Not Track” signals, and indicate whether third parties can collect “personally identifiable information”, if they track user activity, in addition to the previous CalOPPA requirements. Websites may also meet the new requirement by posting a “clear and conspicuous hyperlink” to a description of any program that the website uses to manage online tracking and give the consumer the ability to opt-out. As a result, websites are not forced to cease tracking user activity, but simply requires a website to tell the user what they are doing. Websites who do not comply, are subject to a warning from the California Attorney General requiring the operator to comply within thirty-days and also faces the possibility of lawsuits from the state government and private parties.

The new law has come under fire from both sides of the online privacy debate. Some, such as Eric Goldman, a Professor at Santa Clara University School of Law, argue that the law hurts websites and consumers by imposing additional compliance costs on websites, not providing true disclosure because consumers rarely read privacy policies, and failing to cover all tracking technologies. Others, such as Chris Cronin, an information security professional, argue that the law falls short because it is weak and does not require websites to protect user privacy or comply with “Do Not Track” signals. Regardless, given California’s de facto ability to set national privacy standards and the fact that compliance with the new law is simple, it behooves startups to comply with the new recommendations by amending their privacy policies.


COPPA: Protecting Children’s Privacy Online

COPPA is designed to protect the privacy of children, but complying with COPPA can be difficult for startups.

COPPA is designed to protect the privacy of children, but complying with COPPA can be difficult for startups.  Attribution: Mike Licht.

Do you operate a website or app that is targeted at children? Even if your website or app is targeted at a general audience, do you know that you collect some personal information from children? If you answered either of those questions with a “yes” or even a “maybe,” there is a good chance you are subject to the Children’s Online Privacy Protection Act of 1998 (COPPA). Under COPPA, operators of a website or online service directed to children under the age of 13, or who knowingly collect personal information from children under the age of 13, are generally prohibited from collecting this information without parental consent. While there are exceptions and safe harbors to this general rule, compliance can be quite burdensome for start-ups with limited resources.

The Trouble with Verifiable Parental Consent

The Federal Trade Commission (FTC), charged with regulating COPPA, proclaims, “the primary goal of COPPA is to place parents in control over what information is collected from their young children online.” Hence, compliance with COPPA requires some method of obtaining verifiable parental consent for the operator to use, collect, or disclose a child’s personal information. This is the hurdle that trips up most startups falling under COPPA. As you can see below, the process of obtaining this consent is burdensome and inconsistent with the startup’s efforts to onboard new users with as little friction as possible. One FTC-recommended approach requires operators covered by the rule to perform all of the following:

  1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

As a writer, I will be lucky if you actually read through all seven steps, let alone comprehended what each required for compliance. Now, imagine trying to advise a start-up to implement each of those . . . yeah, right.

Why You Should Comply with COPPA

While there are exceptions to obtaining prior parental consent, they are too narrow for the scope of this post, and unlikely to have much impact on COPPA compliance. So, why should operators care about being subject to COPPA, and how can they reasonably comply? Violators of the rule can be held liable for civil penalties of up to $16,000 per violation, which can add up quickly and debilitate a cash-strapped start-up from moving forward.

Realistic Solutions for Complying with COPPA

1. Don’t Fall Under COPPA by Clearly Avoiding Children User’s – The cheapest and easiest way to comply with COPPA is to simply not fall under the rule in the first place—don’t target children under the age of 13, and ensure that you aren’t collecting personal information from children under the age of 13.

2. “Age-gate” to Avoid Falling Under COPPA – In order to avoid COPPA’s coverage, consider using one of the following free options that utilize an “age gate” function, which requires a user to enter their date of birth in order to certify their age, before entering a website or app:

  1. If the user is under the age of 13, you can just deny their access to the website or app.
  2. If the user is under the age of 13, you can also allow the user to only access the online service through a “safe-mode” that does not collect, use, or disclose a child’s personal information. This means prohibiting a child from setting up any type of account or profile, and requires close monitoring of a child’s activities. For example, any text or input of any kind from a child must be monitored to prevent identification of the anonymous user profile.

3. Use a Safe Harbor Program – One plausible route for obtaining verifiable parental consent is through the FTC-approved COPPA safe harbor programs. Examples of these safe harbor programs include iKeepSafe, KidSAFE, and TRUSTe. While there seems to be some uncertainty surrounding these programs, the prospect of having service providers handle companies’ COPPA compliance is appealing and most likely the direction we are heading. These programs can serve as a portal for parents to read the privacy policies of multiple websites and provide consent, all in one easy-to-use location. Of course, this comes at a cost.

Understandably, some operators will fall under the umbrella of COPPA due to their business model. In this case, it is highly recommended that you consult a COPPA compliance attorney before launching the online service. However, if it is possible to exclude children from your online service, consider the aforementioned approaches for bypassing COPPA.


Visiting Your Competitor’s Web Page: Should Entrepreneurs be Concerned?

Competitor Website Pic.v3

Entrepreneurs, you can check out your competitors. But it’s likely they’re watching you watch them.

Data Collection and the State of the Internet

Data collection is an integral and expected practice of the internet. In fact, many companies, both established and new alike, rely on it for their continued existence. Data serves a critical role in either their marketing strategies or monetization strategies. Or in some cases, both. This data provides useful information essential to adjusting and tailoring a company’s business strategy. Both websites and third-party advertisers collect data.  This data includes IP addresses, location, and web history. Since the practice is unlikely to go away, the question becomes “as an entrepreneur, should I be worried about visiting my competitor’s website?” The good news is that there are some things that can be done to minimize the information a competitor learns about you from your visit to their website. This blog post will cover: 1) some of the technology involved, 2) examples from Facebook’s data usage and privacy policies, and 3) some suggestions going forward.

Technology involved

Numerous free or low-cost tools exist for a company (such as one of your competitors) to ascertain the affiliation of visitors to the company’s website.


Cookies are small text files created when a user loads a website. Every time the user returns to the site, the browser sends this file to the site’s server. Both websites and ad servers create cookies on a site. Important for our purposes, cookies inform how and when ads are shown.  You can learn more about cookies here.

Pixel tags

Pixel tags are small blocks of codes on a webpages that allow websites to read and place cookies. The resulting connection can include information such as the person’s IP address, the time the person viewed the pixel, and the type of browser used.  You can learn more about pixel tags and how Facebook uses them here.  

Web Analytics

Services such as Quantcast, Google Analytics, KISSmetrics provide extensive data. They include demographic information (age and gender), location information, time on site, and other metrics. IP addresses by themselves will give away a user’s location and network information. For instance, visit IPInfo’s free geolocation databases.  Users are greeted with IP address information on the right-side of the screen (IP address, country, region, city, and time). These services can be free or paid, and therefore, there aren’t significant barrier to entry. A basic (yet still comprehensive) version of Google Analytics is available for free.

Examples from Facebook Data Use Policy and Practices

As it has become a part of many people’s daily habits, Facebook may become a problem for the cautious entrepreneur. First, Facebook may increase your competitors screen time as a user’s information and web traffic affect advertising. Second, it may tip off your competitors as to your presence.

Facebook is rather explicit (but not entirely straightforward) in its online policies. Facebook’s privacy page states that they receive data from and/or about “the computer, mobile phone, or other devices you use to install Facebook apps or to access Facebook.” This information may include your “IP address or mobile phone number, and other information about things like your internet service, operating system, location, the type (including identifiers) of the device or browser you use, or the pages you visit.” Facebook additionally receives data whenever you visit other websites, games, and applications that use the Facebook platform or use a Facebook social plugin.

Certain information on Facebook WILL ALWAYS REMAIN PUBLIC UNLESS DELETED. For our purposes, this includes name, user ID, and networks.

Facebook’s cookie policy

Facebook may read a cookie so they can show you ads that may be interesting to you on Facebook or other websites. They also use a cookie to learn whether someone who saw an ad on Facebook later visited the advertiser’s site. Similarly, Facebook partners may use a cookie or another similar tech to determine whether they’ve shown an ad and how it performed. Information may be shared with partners.  More more information, wee Facebook’s cookie policy here. 

Facebook Page Analytics

For a Facebook page, you can see how many people your post reached, how many people clicked it and how many people clicked it, commented on it, or shared it with their friends. The Facebook Pages feature allows administrators (or rather your competitors) to identify the location of users who have seen “any content associated with [their] page.”  

What does this all mean for the entrepreneur?

The problem for entrepreneurs is two-fold. First, you may be tipping off your competitors about your presence (and your interest in your competitor). Second, you may be increasing your competitor’s web traffic.

In the first instance, as explained above, by merely visiting your competitor’s website, your competitor is likely capable of learning your location, gender, and age (inferred age group. Furthermore, your competitor might be able to identify your network.To combat this, you may consider using the TOR browser.  The TOR software prevents tracking by “bouncing your communications around.” Your internet traffic is carried over a network of different relays, which are hosted by volunteers globally. According to the TOR site, “it prevents somebody watching your Internet connection from learning what sites you visit, [and] it prevents the sites you visit from learning your physical location.”[5]

Private browsing does not anonymize your data. IP addresses and other related information may still be collected. Private browsing only prevents cookies from being stored once the browsing window has been closed. However, a private browsing session will not read cookies from other sessions.

The second situation is not nearly as avoidable. Increased visits to a competitor’s website will increase web traffic. The cookie stored from that site will inform Facebook and other advertisers that you have viewed that site. As a consequence, it will then serve up more ads related to that site/product. Additionally, the more visits a page receives, the more likely it is to show up in search results and other advertisements in general. If you want to research your competitor, this consequence is almost inevitable.


Data collection is here to stay. As privacy policies change, entrepreneurs should be mindful of their internet behaviors, and they should remain up to date on policies. While you can cover some tracks, some things are unavoidable and are the cost of doing business.