Anatomy of a Privacy Policy

Website privacy policies long seemed a mundane subject—but they’re increasingly under scrutiny as a new form of actionable contract.

By Julie A. Lewis

1120-Privacy-policyThis article examines whether, and how, the mundane privacy policy link located at the bottom of most websites becomes a contract between the site sponsor and innumerable site users. In an effort to manage data-related class actions, website sponsors continue to activate the arbitration policies contained in the site’s terms and conditions or privacy policy. The motion to compel arbitration is the common gateway to contract formation analysis in the federal courts.

When the privacy policy is elevated to a contract between the site sponsor and its users, all of its terms apply. In a logical extension of web contract formation principles, site sponsors are now defending against breach of contract claims based on privacy policy language that may never have received a serious legal review. 

Mandatory arbitration is a double-edged sword

Like so many innocuous decisions, Epic Systems Corp. v. Lewis was about one thing—whether the Federal Arbitration Act’s savings clause preempts the arbitration obligation in an employment contract—and then became about something else.1 After Justice Gorsuch firmly reiterated the right to impose arbitration by contract, enforcing that right has become a cornerstone of privacy policy litigation. 

Current class action privacy policy pre-emptive motion practice focuses on whether disputes should be forced into arbitration as a matter of contract between the site sponsor and the site user. Courts first look to find a contract. If the website’s terms or privacy policy is a contract, it is a contract for all intents and purposes.

Assent: Inquiry notice and affirmative acknowledgement

Federal courts are more than willing to enforce mandatory arbitration terms found in website policies if the policies provide adequate notice of the term to the site user and if the facts indicate that the site user assented to the term. (Certain “wrap” agreements convey assent, while others do not.) State law governs contract formation; however, it is not overstatement to say that the federal courts, in applying state law, are creating a set of consistent expectations for website legal agreements. 

The contract formation standards under development by the federal courts are based on the court’s close scrutiny of the visual presentation on the user’s screen. Some of the world’s largest website businesses can currently be found on either side of the line.

Contract of adhesion formation. Courts refer to web agreements as contracts of adhesion. Users must agree before they can access the web information, product, or service. To enforce a web agreement, the site sponsor must prove that the user had actual or inquiry notice of the online contract’s terms. Most related litigation is over inquiry notice questions.

Inquiry notice of an online agreement depends on the design and content of the website and the agreement’s webpage. Online contracts may present as “clickwrap” agreements in which the user clicks an “I agree” box at the end of the terms, “browse wrap” agreements where the terms are posted via a link at the bottom of the webpage or “hybrid wrap”/“sign-in wrap” agreements in which the user registers to use the internet product or service and the signup screen requires asset to the terms of use before the user can access the product or service.

Courts generally do not find notice or assent to a browse wrap agreement because the terms are not made plain for the user on the webpage. In 2016, the 7th Circuit found in Sgouros v. TransUnion Corp. that the parties did not agree to arbitrate disputes related to TransUnion’s “FREE credit report” and “$1 credit score” because the box that the user clicked to authorize TransUnion’s use of the plaintiff’s personal information did not mention the website’s Service Agreement.2

Blue typeface. A vital part of web contract formation analysis is the court’s evaluation of the design and visual aspects of the webpages under review. In March 2020, the Northern District of California decided Arena v. Intuit, Inc., holding that Intuit, Inc.’s TurboTax sign-in wrap agreement did not create a valid arbitration agreement.3 While the agreement’s hyperlink appeared immediately under the TurboTax sign-in button and the sign-in page contained an explicit statement that signing in constituted assent to the terms, the hyperlinked text itself was not sufficiently conspicuous.

The hyperlink was presented in blue typeface but was not underlined. Citing the 1st Circuit’s 2018 decision in Cullinane v. Uber Techs, Inc., the Arena court rejected Intuit’s argument that the color difference was adequate inquiry notice. The court relied on plaintiff’s expert witness testimony from a cognitive scientist to conclude (1) a consumer would be less likely to notice text in a lighter shade than other text on the same page, (2) the sign-in page contained multiple, confusingly similar hyperlinks (i.e., Turbo Terms of Use/Turbo Tax Terms of Use), and (3) less than 0.55% of users logging into TurboTax’s website actually clicked open the terms hyperlink. Even though users were specifically required to accept the “TERMS” to use the services, the court declined to find assent because the acceptance made no reference to knowledge of the terms. 

By contrast, on 4/23/2020, the same court found user assent to arbitrate in DoorDash, Inc.’s sign-wrap agreement because the screens were uncluttered, the notice text was close to the sign-up button and the terms and privacy policy hyperlinks, while not underlined, were in blue text and were the only hyperlinks on the page.4

The double opt-in and other contract questions

As data privacy litigation gains speed, web businesses have accelerated web page improvements to try to stay ahead of it. In addition to updating website agreements to add the design indicators of assent, companies are updating their arbitration policies to strengthen their position in court, but with mixed results. 

Double opt-in: In Soliman v. Subway Franchisee Advertising Fund Trust Ltd. (03/05/2020), a double opt-in for promotional sandwiches by texting “Subway” and then responding to “Reply w/ur ZIPCODE as ur sig 2agree 2 SUBWAY offers” did not bind the plaintiff to the hyperlinked terms and conditions containing an arbitration agreement.5

Email modification: In Wilson v. Redbox Automated Retail, LLC (03/25/2020), a site user could not have agreed to an email modification adding an arbitration clause when she could not have assented to the original terms due to the site’s cluttered and confusing video rental screen.6

Pre-checked box: In Lundbom v. Schwan’s Home Service, Inc. (05/26/2020), the court applied the perspective of “a reasonably prudent smartphone user” to find that the plaintiff agreed to receive text marketing messages by default when her food delivery registration included a pre-checked box indicating consent to receive SMS marketing communications.7

Opt out: In Page v. Alliant Credit Union (05/18/2020), credit union members were bound by an emailed arbitration amendment to their membership agreement when they did not read the email and did not opt out.8

Integration clause: In Hutt v. XpressBet, LLC (05/29/2020), the defendant’s disclosure of plaintiffs’ multiple wagering accounts was actionable only in arbitration because the integration clause in the Terms of Wagering incorporated the arbitration clause into the privacy policy.9

Unilateral contract modification clause: In Miracle-Pond v. Shutterfly, Inc. (05/15/2020), the plaintiff’s continued use of the site constituted acceptance of a subsequent arbitration agreement modification because the original terms of use contained a valid unilateral change in terms provision.10 (But see Engen v. Grocery Delivery E-Services USA Inc. (04/10/2020), in which the U.S. District Court in Minnesota declined to find a valid agreement to arbitrate modification where HelloFresh’s numerous emails to the plaintiff did not call attention to the modification and were sent for marketing purposes.11)

Data privacy litigation: From assent to consent

Arbitration clause litigation has, even in the past 90 days, tested and defined our understanding of web-based contracts between site sponsors and site users. Now that we know that site sponsors can enforce their arbitration agreements with users when assent is present, site users also know that they can hold site sponsors accountable for the promises made in near dormant (until now) website terms and conditions and privacy policies. 

Beyond free-sandwich text opt-ins, interest in how personal information is being used runs high. Personal data is now a commodity. More than general complaints filed under the site sponsor’s terms and conditions, violations of the site sponsor’s privacy policy lead to recognized and demonstrable damages due to unauthorized access to or use of the site user’s personal information.

Personally identifiable information

Personally identifiable information (PII) has taken on the character of property whose ownership and integrity must be defended against hackers, scammers, monolithic corporations, and other nefarious elements on the internet. Every state has some form of privacy protection statute that covers intrusion, interception, or unlawful use of private data and data breach obligations. Certain states, like California, have developed a data privacy code covering many aspects of data use by site sponsors. Federal law separately regulates consumer rights, financial data, children’s data, student data privacy, and protected health information.12 

PII plaintiffs typically combine state and federal statutory claims with contract claims in a data privacy violation complaint. As they develop the new law of web-based contract formation, the federal courts are at the same time developing the parameters for actionable claims, largely in tandem.

State legislation that provides for a private right of action includes:

California Consumer Privacy Act (CCPA):13 Effective January 1, 2020, this act requires a for-profit business with annual revenues of over $25 million—or one that buys, receives, or sells personal information of 50,000 or more consumers—to meet certain obligations when it operates in California. (“Operates” includes sponsoring a website that is accessible to California residents.) If the business may collect personal information from California residents, the business must:

  • provide a clear and conspicuous link for California residents to opt out of the sale of their personal information;
  • inform California site users of their right to be forgotten;
  • describe the types of PII that is collected;
  • allow California site users to obtain a copy of their PII collected by the company or destroy the information at the consumer’s request with verification to the consumer;
  • make available an email address and toll-free number for data information requests;
  • train employees on the CCPA obligations; and
  • carry CCPA obligations through to the company’s third-party service providers.

Illinois Biometric Information Privacy Act (BIPA):14 Effective October 3, 2008, the BIPA allows a private right of action for violations, including facial recognition scanning without consent, via online “tags.” 

Other state legislatures are actively studying legislation that will expand data privacy rights.

Privacy policy

There are three main concerns driving protective privacy policy judicial decisions. All are anchored by lack of consent from the PII owner: data interception, sharing data with third parties for sale or otherwise, and data breach/inadequate security.

Data interception: The U.S. District Court for the Northern District of California found a contract was formed through a conglomeration of Google privacy policies connected to its different devices, platforms, and services. Every time a user’s PII was shared with other non-engaged Google services, the contract was breached.15 When, for example, the Android device privacy policy assured customers that their information would be aggregated and de-identified or when the Google Wallet privacy policy promises that Google would notify users if certain PII is shared with third parties, those promises carried over to Google’s internal sharing of PII among any of its various platforms and services.

Data sharing: Similarly, a breach of contract claim against Facebook survived a motion to dismiss when Facebook disclosed user information to its whitelisted apps and business partners without the user’s permission and without giving users the ability to prevent the disclosure.16 Facebook’s data use policy promised that apps would be allowed to use information only in connection with the user’s friends. Allegations that Facebook conducted extraneous undisclosed sharing of user PII with its business partners stated a breach of contract claim.

Data breach/inadequate security: UnityPoint Health is a healthcare network in Wisconsin, Iowa, and Illinois. In 2018, UnityPoint Health’s employee email system was hacked and the hackers obtained access to the PII of 1.4 million patients. UnityPoint Health system gave each system user (patients and others) a copy of its privacy policy. The privacy policy promised that UnityPoint would store personal information “in a secure database behind an electronic firewall” and that system users would receive notice of a data breach within 60 days of discovery. 

Four individual system users filed a putative class action in the U.S. District Court in the Western District of Wisconsin in 2018.17 The defendant argued that there was no separate consideration for the privacy policy, that the privacy policy was merely a promise to follow the law, and that the privacy policy’s unilateral modification provision made it a nonbinding promise. 

The court allowed the breach of contract claim to proceed, holding that separate consideration was not required for the privacy policy because it was incorporated in each health services agreement, that the privacy policy promised more than legal compliance, and that the unilateral modification provision was limited to the privacy policy and did not allow UnityPoint Health to modify or withdraw from the health services agreement. The court also noted that it could infer a data breach because UnityPoint Health did not follow the procedures described in the privacy policy.

Federal courts are issuing decisions on website contract claims on a daily basis. Relying on recent precedent that examines the viability of web-based arbitration agreements, courts focus on the site user’s assent to be contractually bound and then on the site user’s consent to allow the site sponsor to collect, store, and use the site user’s PII. Despite the focus on how the contract is presented to site users, what it says still matters. There is enough state legislation (like the CCPA), federal data privacy law, and federal case law to develop guidelines for website privacy policies. 

Privacy policy guidelines

If the lowly privacy policy is now becoming the engine for contract claims against website sponsors that collect PII for any reason, certain updates may mitigate that risk.


  • Links to terms and conditions and an effective privacy policy should be in blue underlined typeface and, preferably, in a font that is larger or more visible than the font around it.
  • User acknowledgments should be highly conspicuous and visible to a reasonable site or smartphone user. Webpage clutter—including marketing and other bids for the user’s attention—should be minimized or placed elsewhere on the site.

Site wording/language

  • Conspicuous, specific disclosure of the information being collected.
  • Clear, easy-to-understand authorization requirements that stop the user from accessing the website until the authorization is provided.
  • Obvious and clear visual clues and directions on the webpage should be used for both disclosure and use authorization.

California requirements

If the site will be operative to California residents, it must satisfy the requirements of the California Consumer Privacy Act, including —

  • a description of the information being collected and how it will be used; and
  • a description of the user’s rights under the CCPA.
Policy template: Suggested terms for a website privacy policy 

n Information collected on the website (a specific description of the personal information the website sponsor collects; this may include personal data, financial data, protected health information, and user site use data).

  • How the information is used.
  • Who uses the information and for what purpose.
  • How the information is collected.
  • How the information is stored.
  • Special sections for Protected Health Information, information collected from California residents, information collected about children, information collected from site users in the European Union.
  • Contact information including a dedicated toll-free number and email address for a site user to use to contact the site sponsor with questions about the user’s data.
  • Policy effective date.
  • Unilateral material modifications notice and consent. 

JULIE LEWIS is the principal of Lewis Law Office, LLC in Madison, Wisconsin, and Minneapolis, Minnesota. Lewis Law Office, LLC advises public, private, and not-for-profit organizations on ERISA, tax, contract, and compliance matters and is legal counsel to a retirement trust.


1 Epic Sys. Corp. v. Lewis, 138 S. Ct. 1612, 200 L. Ed. 2d 889 (2018)

2 Sgouros v. TransUnion Corp., 817 F.3d 1029, 1035 (7th Cir. 2016). But see, BRADLEY ACALEY, individually & on behalf of all others similarly situated, Plaintiff, v. VIMEO, INC., Defendant., No. 19 C 7164, 2020 WL 2836737, at *1 (N.D. Ill. 6/1/2020) (the “Continue With Facebook” window adequately disclosed the website terms and conditions).

3 Arena v. Intuit Inc., No. 19-CV-02546-CRB, 2020 WL 1189849 (N.D. Cal. 3/12/2020) (Appeal filed by Andrew Dohrman, et al., v. Intuit, Inc.et al, 9th Cir., 3/18/2020).

4 Peter v. DoorDash, Inc., 2020 WL 1967568 (N.D.Cal. 4/23/2020).

5 Soliman v. Subway Franchisee Advert. Fund Tr. Ltd., No. 3:19-CV-00592 (JAM), 2020 WL 1061328 (D. Conn. 3/5/2020).

6 Wilson v. Redbox Automated Retail, LLC, No. 19-CV-01993, 2020 WL 1445622 (N.D. Ill. 3/25/2020) (appeal filed).

7 Lundbom v. Schwan’s Home Serv., Inc., No. 3:18-CV-02187-IM, 2020 WL 2736419 (D. Or. 5/26/2020) (appeal filed).

8 Page v. Alliant Credit Union, No. 1:19-CV-5965, 2020 WL 2526488 (N.D. Ill. 5/18/2020).

9 Hutt v. Xpressbet, LLC, No. CV 20-494, 2020 WL 2793920, at *1 (E.D. Pa. 5/29/2020).

10 Miracle-Pond v. Shutterfly, Inc., No. 19 CV 04722, 2020 WL 2513099 (N.D. Ill. 5/15/2020).

11 Engen v. Grocery Delivery E-Servs. USA Inc., No. 19-CV-2433 (ECT/TNL), 2020 WL 1816043 (D. Minn. 4/10/2020) (appeal filed).

12 Cf. Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq.; Safeguards Rule 16 C.F.R. part 314; Children’s Internet Protection Act (CIPA) 20 U.S.C. 9134; Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. 1232g; Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub.L. 104–191, 8/21/1996, 110 Stat. 1936.

13 Cal. Civ. Code 1798.100, et seq.

14 Illinois Biometric Information Privacy Act, 740 ILCS 14.

15 In re Google, Inc. Privacy Policy Litigation, 58 F. Supp.3d 968 (N.D.Cal. 2014).

16 In re Facebook, Inc. Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767 (N.D.Cal 2019).

17 Fox v. Iowa Health System, 399 F.Supp.3d 780 (W.D.Wis. 2019).