How Enforceable are Terms of Service Agreements?If you use regularly use the Internet, software or smartphones, you’ve probably agreed to at least a few hundred terms of service agreements in your life. Chances are you probably haven’t read every single one of those agreements, as it would take the average person about 76 work days just to read all of the privacy policies they agree to in a year. However, even though very few people actually read terms of service agreements, they can still contain some pretty important information.

For example, after the Equifax breach news broke in September, Equifax began offering its TrustedID identity theft protection service for free. This is something companies tend to offer as a sign of goodwill, but that’s not how it was viewed with Equifax, especially once people noticed that Trusted ID’s terms of service agreement contained a provision stating anyone who signed up for it also had to settle any legal disputes with Equifax through arbitration, effectively waiving their ability to participate in a class action lawsuit against Equifax. Equifax later removed that provision from TrustedID’s agreement, but it did so because of outrage from politicians, cybersecurity experts and the public, not because it legally had to. If terms of service agreements can make you give up your right to take a company to court, then what else can they do, and what are their limits? Read on, and we’ll break it down for you.

What makes a terms of service agreement unenforceable?

A legitimate terms of service agreement is legally binding between the parties who agree to it. However, there are a few things that can make terms of service agreements unenforceable. One of the most common unenforceable terms is the unilateral amendment provision, which gives a company the right to change its agreement however it wants, whenever it wants, with or without notifying its customers. Courts have repeatedly found this term unenforceable in cases like Harris v. Blockbuster Inc., Douglas v. Talk America Inc. and Rodman v. Safeway, Inc., as it requires people to agree to terms that don’t even exist yet. If a company wants to include a provision like this, it generally has to notify its customers of agreement changes, provide a grace period for the changes to take effect and limit the agreement to only apply to events that happen after the agreement is amended.

The way a terms of service agreement is presented to customers also plays a role in how enforceable it is. Most terms of service agreements are exhibited as a wall of text you can read, with a box you can check or a button you can click below it indicating you agree to the terms. These are called clickwrap agreements, because you have to click to get through them, and legally they’re pretty ironclad because the customer has to provide a form of affirmative consent to the agreement. On the other side are browsewrap agreements, which customers passively agree to just by browsing a website or using a service, that don’t hold up as well in court. Since the terms of service aren’t obvious displayed and there’s no explicit way for customers to agree to them, browsewrap agreements make it hard for companies to prove that their customers are even aware of the terms in the first place. For example, in 2012, Zappos actually had its entire terms of service agreement voided in court because it used both a browsewrap agreement and a unilateral enforcement provision.

What’s legitimate in a terms of service agreement?

Sadly, pretty much everything else. In fact, one of the most loathed clauses in terms of service agreements, the arbitration clause, was recently given a thumbs-up by the U.S. Senate. Arbitration clauses, like the one that Equifax had in its TrustedID agreement, require customers to settle legal issues with the company through arbitration, which is privately run and heavily rules in favor of corporations. The Consumer Financial Protection Bureau tried to enact a rule limiting arbitration clauses in financial contracts, but the Senate voted to scrap that rule.

Terms that allow companies to collect, store and share your personal data are also completely legal, and, sadly, many big companies now have provisions like that in their agreements. This can be a huge problem, as some of those companies are not equipped to securely store such large amounts of sensitive data. The high number of recent data breaches from those companies have likely contributed to the sharp increase in identity theft cases, and the increasing need for identity theft protection. Personal data terms can also give companies ownership over your information, as demonstrated by Instagram when it tried to amend its terms of service with a provision that would let it sell user photos for advertisements without asking those users for their consent or offering them payment. As with Equifax, Instagram deleted this term when faced with public backlash, but it was still legal for it to do that.

These terms are not only enforceable in civil court, but criminal court, as well. The 1986 Computer Fraud and Abuse Act, or CFAA, makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Due to how vague this law is, the CFAA can be interpreted to mean that violations of company terms of service agreements are also violations of federal law. In 2013, the CFAA was used to prosecute programmer and activist Aaron Swartz after he copied files from digital academic library JSTOR, violating its terms of service. While JSTOR didn’t seek to press charges, Aaron Swartz was still charged with crimes under the CFAA, and faced a $1 million fine and a few dozen years in prison.

While there’s no way to get around agreeing to terms of service contracts if you want to use a particular service, you can decide what consumer rights are important to you and try to find companies that support those rights. Websites like ToSDR.org and TOSBack.org break down the most important parts of many corporate terms of service agreements, so you can easily compare services to find one you think is fair. If you’d like to learn more about how you can keep your information secure, follow our privacy blog.