Hacker News new | comments | show | ask | jobs | submit login
How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (ericgoldman.org)
168 points by dctoedt 1846 days ago | hide | past | web | 61 comments | favorite

This reminds me of some PadMapper discussions on HN where people noted that scraping Craigslist for public data (addresses) was "against their TOS" so of course it's wrong. Well guess what, Craigslist's TOS is a browsewrap and completely unenforceable.


They even have the "we can change this at any time" part that is especially pathetic:

> CL may post changes to the TOU at any time, and any such changes will be applicable to all subsequent access to or use of craigslist.

I'm not sure why you think this is a compelling argument. In the unlikely event that CL's TOS was found unenforceable, CL would simply adjust them to comply with the courts.

CL isn't carrying out a vendetta against PadMapper. It suffices for their purposes to shut them down going forward. Meanwhile, it helps PadMapper not at all if they gain lawful access to old CL listings. They need all of them, going forward. It is very hard to see the scenario where the law will promise them anything like that.

>>I'm not sure why you think this is a compelling argument. In the unlikely event that CL's TOS was found unenforceable, CL would simply adjust them to comply with the courts.

Such changes would not be enforceable retroactively, meaning they could not be used in the current lawsuit. CL would essentially need to file a brand new lawsuit, which is both costly and time-consuming.

1. The relevant part of the quoted CL language is, "CL may post changes to the TOU at any time, and any such changes will be applicable to all subsequent access to or use of craigslist." EDIT: The qualifier about subsequent use likely makes the language enforceable.

2. Browsewraps are not necessarily unenforceable; courts tend to focus on whether the user had sufficient notice that continued use would constitute agreement to a contract [1].

[1] http://www.oncontracts.com/browse-wrap-agreement-enforceabil...

Yes, that's what I quoted... An agreement that is not displayed to the user and can change at anytime is not enforceable.

'jonknee, you make too sweeping a statement there. Neither of the circumstances you describe, separately or together, will necessarily make an agreement unenforceable.

What constitutes hidden terms and conditions is a pretty subtle thing. I think you might be expected to seek out the terms of a business relationship such as this even if it's created unilaterally. It's much easier for a consumer to say 'I just wanted to look for a flat, I had no idea there was a "Firstborn child" clause' than it is for a business to say 'I just wanted to bet my whole business future on this information, I had no idea there would be terms and conditions to access it'.

I wonder what your thoughts are on the GPL. Browsewrap? Check. This or any later version? Check.

The GPL is a completely different beast. First of all it does not govern the usage of software, but its distribution. It does not matter that you don't have to click through it when downloading GPL'd software, because it's only important when you want to distribute software. And in that case the default under copyright law would be "you don't have any right to distribute". The GPL grants you the right to distribute the software under specific conditions. So when making GPL software available for others you can either agree to the GPL or you are simply in violation of copyright.

Secondly, the "this or any later version" is again quite different. It allows you to distribute the given software under the current or any later version of the licence, but since you have the choice of which version to use, a new version cannot retroactively restrict your rights (e.g. if GPLv4 doesn't allow you something that GPLv3 does, you can simply keep distributing under GPLv3 if the original software said "GPLv3 or later"). As long as you comply with the version that you choose when distributing, you're fine. I don't think any court would find a problem with that, as you can't be surprised by someone else retroactively reducing your rights.

The GPL found invalid binds you to stronger chains than having it valid.

>Browsewrap? Check.

Not really. If you're not redistributing then you explicitly don't have to accept the GPL and may not be bound by it. If you are redistributing, then either you read and accepted the GPL or you're breaking the law. Redistributing copyrighted work is not "legal by default" the way clicking a link on a website is.

>This or any later version? Check.

The standard language is "or, at your option, any later version published by the Free Software Foundation". There is no claim there that the FSF can unilaterally change the terms.

The only concern I can see for free software is that "This software is distributed as-is without warranty" notices might not be valid if they're not prominent enough and the user isn't forced to click-through before starting the program.

I find the phrase "legally naked" to be suspect. The point is that terms of use statement on a website does not constitute a contract because there is no meeting of the minds and no assent from both sides. Moreover, judges don't accept a unilateral statement that that terms can change at any time. Hence, Zappos' TOS was found to not be a legal contract.

The linked-to article says "Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked."

Naked means unprotected, correct? But the default legal rules include protection, yes? So naked here can only be a euphemism, rather like in the first warm days of spring where I go outside without a coat and feel 'naked' because I'm missing clothing that I expected. Zappos has protections, just not the protection that it wants. This isn't "naked."

Yet I get the feeling that the author believes that the management provisions that Zappos had in its TOS ("its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration") are almost morally necessary. These of course are provisions that so-called "bricks and mortar" stores doesn't have.

> But the default legal rules include protection, yes?

1. Without a contractual disclaimer of 'consequential' damages [1], Zappos could find itself forced to defend against exorbitant claims for such damages --- and disputes about the underlying facts will usually mean that such claims would have to be resolved via an expensive and uncertain jury trial, as opposed to being disposed of on summary judgment [2] by the trial judge.

2. Different states have different degrees of legal protection for businesses. A brick-and-mortar store generally will be sued only in the jurisdiction where the store in question is located (or a chain might be sued at the location of its headquarters or other, limited venues) [3]. On the other hand, Zappos could be vulnerable to being sued just about anywhere a customer places an order --- the rules about 'personal jurisdiction' are a little fuzzy when it comes to Web sites [4].

So by not having contractual protections, Zappos arguably is exposing itself to the vagueries of whatever the default legal rules happen to be, in whatever state an unhappy consumer happens to live in.

3. The actual business risk to Zappos might not be terrifying here, because the potential harm to consumers from buying an ill-fitting pair of shoes seems manageable (although Zappos does carry more than just shoes). It might be a different story for other e-commerce Web sites. So the object lesson of the Zappos case is worth heeding.

[1] http://en.wikipedia.org/wiki/Consequential_damages

[2] http://en.wikipedia.org/wiki/Summary_judgment

[3] http://en.wikipedia.org/wiki/Personal_jurisdiction

[4] http://en.wikipedia.org/wiki/Personal_jurisdiction_in_Intern...

I made a mistake in referring to a bricks-and-morter store. I should have asked how mail-order catalog companies survived and thrived for decades under the same laws that Zappos and seemingly also you find sufficiently worrisome as to require a special contract in order to avoid.

I recognize the legal principles which you listed, but is it realistic for this case? That is, of the over 100 years of mail-order catalogs in the US, how many such "expensive and uncertain" trials have occurred, how many were won or lost by the company, and what was the overall business cost?

I say this because I believe that the laws are already, and in general, in favor of the company over the consumer.

Let's take this specific lawsuit as the most relevant case. It wasn't, as you wrote, a case of ill-fitting shoes. It was a data security breech where personal information from some 24 million Zappos customers was copied. A customer claims that Zappos did not follow "federal consumer credit laws by failing to protect her personal information." If that was the case, should that customer not have the right to sue?

Note that as this is a federal law, it does not fall under your #2 point, that "Different states have different degrees of legal protection for businesses."

Should it be so easy for a company and customer to enter into a contract via a TOS which waives those federal protections? If so, should we extend that flexibility to other companies? I think the answers are "no" and "no."

This issue deals with risk management, I know. There are other solutions to risk management. For example, data breeches are a known risk, and can be planned for by designing the system to reduce the impact of the risk, by setting aside funds in order to handle litigation which might arise, and by purchasing insurance coverage should those funds prove insufficient. These make operations more expensive for the company, certainly, while a TOS which waives federal data protections is cheap. There should be no way that exorbitant claims - if unfounded! - based on data security issues should have a severe impact on Zappos.

I'm certain that some restaurants would like customers to waive food protection laws in the interests of cheaper food. Is that acceptable via a TOS-like contract agreement between the restaurant owner and the customer? Why should it be common for an online company, like Zappos, to have a TOS which waives certain customer rights?

'dalke ---

1. At least on first reading, I don't disagree with anything in your analysis responding to my own; in particular, your mail-order catalog analogy seems quite apt.

2. You're correct that the risk-management precautions to which you refer have costs associated with them. Within limits worked out over decades in legislatures and courts, the law allows companies to use contracts to reduce such costs by shifting the associated risks to others.

When a company has sufficient bargaining power, its management typically attempts to do just that: Use standard-form contracts to shift risks to others, and thus reduce the company's costs.

(I spend some of my time helping to negotiate such contracts. As you might imagine, the standard-form contract of a powerful customer will usually be very different from that of a supplier.)

At the risk of belaboring the obvious, this is the same principle that's behind self-service gasoline pumps and self-service checkout lines in grocery stores: The more of a company's costs that the company can get its customers (or its suppliers) to take on, the higher the company's margins will be for the same amount of revenue. Not least, companies' managements are motivated to do this because eventually a company's aggregate costs will necessarily be reflected in the price, and thus the competitiveness, of the company's products and services.

(The costs of a company whose stock is publicly traded will also be reflected eventually in the price of the company's stock. That's generally high on the list of management concerns as well.)

3. The question you seem to pose is whether we should simply forbid contracting parties from contractually shifting risk as described in #2. Various state- and federal laws already do that to a certain extent; see, for example, consumer-protection laws, as well as article 2 of the Uniform Commercial Code (which in most states governs the sale of goods), not to mention employee-protection laws.

Whether a given jurisdiction should attempt go even further in that direction is a question that comes up every so often. One example is the recent controversy over the U.S. Supreme Court's 5-4 decision that companies can legally include mandatory arbitration provisions in their consumer contracts, thereby largely eliminating the possibility of class-action lawsuits and thus considerably reducing consumers' leverage [1].

Whenever the issue does come up, representatives of various affected interests converge from all directions --- including but not limited to so-called consumer lawyers eager to gain, or preserve, sources of contingent fees and/or statutory attorneys' fees awards.

Ultimately the issue boils down to a political question: What should or should not the law be? As with so many such questions these days, the deep ideological divisions among the American people often result in no change to the status quo.

[1] http://en.wikipedia.org/wiki/AT%26T_Mobility_v._Concepcion

By analogy, being naked is your default protection against the elements. I think it works exactly as intended.

Hence my analogy to a winter coat. During summer in many parts of the world, one does not need clothing as protection against the elements. As the most obvious example, people at a nudist beach survive the entire day without clothing.

It's only when the weather is bad where one needs clothing as protection.

Under this analogy, are business conditions in the US so bad that online stores need "clothing", in the form of special TOS which waive certain consumer protections otherwise available to customers of physical or mail-order stores?

If so, why haven't these considerations become these become part of the law? Otherwise it represents a barrier to entry, since every new online business must remember to set up those TOS correctly. The linked-to article shows that doing so is hard enough that a large, highly successful company makes mistakes. Why not just incorporate the needed changes as part of the UCC and not worry about it?

It's a pun. Zappos is a clothing store.

I think this is really interesting and important.

We (web developers, entrepreneurs) can't expect to just slap a "Terms of Service" link in tiny grey font at the bottom of every page and expect that to be legally binding. We can't expect agreement without asking for it. It's especially problematic for sites which don't require registration (and I'd like to see those ToS disappear). One site I saw today had a ToS link but no about page. Which is really more important?

Well. You can't use a browse-wrap contract to enforce a binding arbitration clause to strip your customers of the right to avail themselves of civil courts. That doesn't mean every other term of a browse-wrap TOS would necessarily fail in court. It is particularly difficult to compel arbitration in consumer relationships; its doable, but clauses that seek to compel arbitrary have to meet a higher standard than some other contract terms do.

"That doesn't mean every other term of a browse-wrap TOS would necessarily fail in court."

Not to mention the fact that what happened in this court on this issue would not necessarily happen in every court viewing the same facts. Or whether in some cases a company makes a conscious decision to do what they know might fail in order not to add friction to the process. Clean up the mess afterwords, get the extra business now. "Polute the river and if we get get caught and fined, pay the fine!"

Separately, what I would like that I haven't seen in this thread are some thoughts on how a company like Zappos could have made this type of a mistake if it is so obvious.

There are obviously legal technicalities but just in terms of humanely treating your users — don't assume they've agreed to something they haven't read.

If sites don't require registration why would they require a ToS? How would they prove a violation of the ToS if they can't tie you back to the non-existing registration?

Frustrating that "click wrap" is seen as acceptable. Some of them are very many screens in tiny font on a small screen. I don't know how many people actually read those at the time they accept them, but I suspect the number is very low.

It'd be great if there was a standard, simple, AUP / TOS. Perhaps even a TOS-Builder app - you select what your users will be doing and it interactively creates a TOS for you using simple English and short sentences.

I wish there was some law saying that a 'contract' like that is not valid if it has more than X words (e.g. 1,000), it's between a corporation and a person, and the corporation has not resonably established that the person has consulted legal advice. That would be a relatively unambiguous way to ban such one sided contracts.

The UK Unfair Terms in Consumer Contracts Regulations 1999 [1] are reasonably good in this regard IMO. It gives effect to an EU directive, so most/all EU countries should have similar protection.

Summary of major provisions:

> s.8(1) - An unfair term in a contract concluded with a consumer by a seller or supplier shall not be binding on the consumer.

> s.5(1) - A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties' rights and obligations arising under the contract, to the detriment of the consumer.

> s.7(1) and s.7(2) - A written term must be in plain intelligible language. Any doubt is resolved in the customer's favour.

[1] http://www.legislation.gov.uk/uksi/1999/2083/contents/made

That is very interesting. I didn't know about this sort of law (and yes I'm in another EU member state, so this is relevant to me). Thanks!

You've described a contract of adhesion [1]. They aren't illegal, but are subject to additional judicial scrutiny.

[1] http://www.law.cornell.edu/wex/adhesion_contract_contract_of...

Unfortunately, no longer that much additional judicial scrutiny. The law used to view them suspiciously, since they didn't appear to really be bona fide contracts entered into by two parties who negotiated and agreed on terms. But as Justice Scalia's majority opinion in AT&T Mobility v. Conception (2011) argues, "the times in which consumer contracts were anything other than adhesive are long past", and courts now enforce them routinely, actually even striking down state-law attempts to treat them as anything but bona-fide contracts.

It seems like this would have all been mute if zappos did the standard industry thing of including a "I agree to the terms and conditions" checkbox on account creation page:


Sorry to be a pedant. It's "moot":


Isn't it moo? Like the cow?

you're stll kind of new, so let me give you some friendly advice, since i've been here slightly longer: hacker news hates jokes and jokes are a great way to get downvoted.

What HN tends to discount are useless and derivative comments of the sort which may turn into "insider" memes.

Humorous comments may get upvoted, particularly when they extend the content cleverly and are well written. However, you are correct in so far as the threshold tends to be higher than is common.

In my experience, it is best to view downvotes as editorial suggestions rather than personalizing them as "hate." A downvote may mean a lot of things, but in general it is often best to consider them as an indication of how well one's point has been communicated. I recommend using them as feedback regarding the quality of one's writing.

Likewise on the subject of communication, one might read your post as a bit uncivil in regard to the way it addresses the author of the parent comment. Curtailing incivility is a current point of emphasis within the HN community.

My question is, how could your point have been better communicated in a way which promotes meaningful dialog, and how could the "edit" feature be used to implement an improved version?

And also remove the clause stating that they can change any part of the agreement at anytime, the op link said this basically makes a lot of these whimsy internet agreements void.

Removing that would make me (as a consumer) happier. Instead they'll probably reword it to say "We can change any part of this agreement that we want, at any time, not even bother to tell you, and you (the consumer) still agrees to it. Except for the mandatory arbitration by an arbitrator we choose and we pay... we can't change that part."

No. It applies to the whole terms of use.

Your use of present tense ("applies") suggests to me that perhaps you missed the fact that I wasn't describing what Zappos does today, but rather what I fear many companies will START to do as a result of this decision.

This entire TOS thing should just be eliminated. It's inevitably a bunch of ridiculous legal mumbojumbo and does little but eliminate accountability and give lawyers busy work.

Lately I've been thinking that this should be part of the login process. Enter username and password. Just below the "Login" button there's the "If you click on this button..." text with a link to the TOS. Every time someone logs in they are accepting the TOS. If your login events are recorded you even have a record of when each user logged-in and, effectively, accepted the TOS.

American Express does this when you pay your bill on-line. I hate it --- that was one of the reasons, after decades with AmEx, that I switched all our household spending over to a Southwest Airlines affiliate-program Visa.

I would not consider that to provide adequate notice of a change in the TOS. If it's just a link that never changes, you won't have been notified if it updates.

According to the article:

  Using Clickthrough Agreements.  Zappos had an easy way to 
  form a clickthrough agreement.  As shoppers are checking
  out of the store with their shopping cart, Zappos could
  say "By clicking the 'purchase' button, you agree to the
  Zappos terms of use" with a link to the document.  It's as
  easy as that.  No custom coding, no interstitial web
  pages, no real risk of abandoned shopping carts.
Considering that the author is a professor of Law at Santa Clara University, I would think that the TOS in the login dialog would hold water in court.


What if it included the date of most recent update? Worst case, you could store the user's most recent TOS agreement version or date identifier, and force them to agree after logging in if they want to continue. This seems to be how Apple operates for the App Store.

When I was at Yahoo years ago, and we handled billing for premium servies, we'd explicitly store the version of the TOS the user had indicated express consent to as an extra precaution (express consent in this case meant the user had ticket a checkbox to confirm they agreed and then submitted the form).

First of all, the login experience should not change if the TOS is the same as before.

If the TOS has changed, you could accept-reject the login (lock the credentials in the fields) and say "to continue, please read the TOS change and press 'accept' to continue". Or just have this as a separate screen after the login.

Given that Eric points to the bottom-of-page placement of the TOS as further evidence of its inadmissibility, it's a bit ironic that the first paragraph of his article says "This post will make some suggestions" and the last paragraph, pages down, says "[this post] doesn't provide legal advice"

An interesting read though -- thanks.

I think it has been well established that disclaimers on legal advice and commentary are less important than 10 years ago. A reasonable person must be under the assumption that the author is acting as their lawyer. Adding the extra "This is not legal advice" is moreso just a extra nail in the coffin of protection.

Its the same reason webmd does not have a big disclaimer at the top of the page saying they are not acting as your doctor.

Are there specific legal precedents that have made such disclaimers less important, or has it been a general trend?

Yes, generally see the NOLO line of cases.

"As you can see from the screenshot snippet above, Zappos' terms of use says "We reserve the right to change...these terms and conditions at any time." Zappos isn't the only website using language like this; it's ubiquitous on the Internet. Unfortunately, despite its widespread usage, this language is toxic to a contract."

Isn't toxic to strong a word here? That particular clause it unenforceable, but the rest of the contract is unaffected, because of (I presume) a severability clause? The article seems to indicate that this clause taints other aspects of the contract.

Toxic is not too strong of a word here.

The use of a unilateral change-of-terms clause, without notification or assent, in their contract with the users of their website invokes an illusionary promise of a contract which vitiates the entirety of the contract at its very roots, including the severability clause.

This raises an interesting question of whether forcing every user to click an annoying accept checkbox would actually hurt their bottom line more than the results of the lawsuits.

As far as I understand it doesn't have to be annoying. Simply having the legible text "By clicking the Purchase button you agree to the Terms" should suffice. There'll be just one Purchase button in both cases (of course, getting a legal advice wouldn't be a bad idea).

If anyone's particularly interested in the online contract issues highlighted by the Zappos User Agreement, Stanford Law had a great hour long session on online contracts at their 7th Annual Stanford E-commerce Best Practices 2010 E-commerce Best Practices Conference.


How does one prove that at the time a user signed up there was a checkbox/button to accept the terms, not a different version of the page?

The same way most other things are proven. Someone in a position of power says "the checkbox was there and we recorded the value, and this was the version of the TOS at the time" under threat of perjury.

Any half-informed Internet user should be saving copies of terms they have agreed to (after reading them thoroughly, of course).

That's sarcasm, but I feel like that's what would be legally argued in court, and it shows how much power websites have compared to their users.

how do you keep a record of terms you have not agreed to, a screen grab of an unchecked box?

You could, say, post a digitally-signed repudiation of the ToS. Or, interesting concept, of all ToS terms to which you explicitly do not agree.

Put that somewhere that, say, Internet Archive would get ahold of it. Among the Archive's revenue-generating services is providing notarized copies of data that it's archived, essentially substantiating someone's claims that material was available online at a given point in time.

Although I'm sure this could be spoofed easily, whatever version control system you're using almost certainly timestamps commits. You could easily bring up the version of the file that existed at the timestamp of the user's account creation date.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact