\I Agree:\ Should Your Privacy Policy Be a Contract?

Clients frequently ask me variations on the question of whether a privacy policy should be treated as a contract. Sometimes the question is framed as, \"Should we have users agree to our privacy policy?\" Others frame the question as, \"Should we incorporate our entire privacy policy into our agreed upon end-user license agreement (\"EULA\") or terms of use (\"TOU\")?\" for those who take a global approach to privacy compliance, \"I agree\" language may cause legal issues abroad. Some European Union (\"EU\") countries, such as Germany, explicitly prohibit forcing end users to agree broadly to data collection and use practices. Other EU data protection laws and rules prohibit conditioning use of products or services on user acceptance of data collection and use practices. In these countries, the privacy policy takes the form of a notice to users. It is meant to fully inform users and provide transparency about what data you collect, how you use it, with whom you share the data, how you protect it, the choices users have with respect to use and sharing of the data, and the like. Likewise, for the few U.S. laws requiring privacy policies, the objective for doing so is notice and transparency rather than contract formation. Most significantly, given recent judicial lawmaking, your entity may benefit from treating some aspects of your privacy policy as part of your privacy litigation strategy. With careful phrasing and placement of language in a TOU to which users must affirmatively agree, an entity can potentially compel arbitration and avoid costly class action litigation.2 That TOU would include the user's agreement to collection and use of information by your entity for the purposes disclosed in the privacy policy and to a binding arbitration provision with a class action waiver. To help ensure that the terms are binding, however, it is important that acceptance of the terms involve some affirmative action of the user.