Whether assisting in developing or implementing a compliance program or battling it out in the courtroom, we offer the full range of compliance and litigation options and services related to Online Services. For example, we assist our clients in the following areas:
- Provide a Website Privacy Audit Report that assesses a client’s website, identifies its risk profile, offers recommendations and website best practices to ensure better legal compliance, and proposes solutions to mitigating the risk of litigation or regulatory enforcement actions.
- Retain industry-leading IT consultants to undertake measures designed to ensure that corporate websites, mobile applications, and other online platforms satisfy cookie management requirements, WCAG, and other website accessibility standards.
- Draft website accessibility notices, cookie banner content, privacy statements, and similar disclaimers.
- Assess and draft website terms of use to ensure dispute resolution processes are favorable to the owners and operators of Online Services.
- In the event of a pre-litigation dispute, assess an organization’s compliance posture and draft legal defense memoranda to facilitate settlement discussions.
- Implement cost-saving strategies in litigation to seek dismissal of cases on procedural and jurisdictional grounds or for lack of merit.
- Negotiate and draft settlement agreements releasing defendants from current and future claims against them and their affiliates and subsidiaries.
There are many factors that an organization needs to assess to determine whether its website is compliant with privacy requirements and accessibility standards. Thompson Hine can help.
Businesses must protect the privacy and security of the personal data and confidential information in their custody and control. However, in today’s dynamic threat environment, businesses are facing evolving risks to their information technology (IT) systems and networks. To mitigate these risks, a business should build a data protection program tailored to its unique concerns and threats. Central to developing a data protection program is creating, implementing, and maintaining a clear and concise data incident response plan (IRP) that outlines the measures and tools needed to prepare for and respond to an actual or reasonably suspected data breach.
This checklist provides an outline of the critical elements a business should address or consider when creating an IRP. Full access to the checklist is available here (pdf).
Issue |
Description |
| Cookie Banner | Online Services should include a cookie banner to inform end-users about the collection, processing, and use of their personal data. This banner is intended to satisfy notice-at-collection requirements and can also be used to obtain consent before deploying cookies, pixels, and similar tags. |
| Consent for Non-Essential and Online Tracking Technology | Online Services that deploy non-essential cookies, pixels, and tags, such as online tracking technologies, need to identify whether they require opt-in or opt-out consent for such tools. |
| Notice at Collection | Online Services should include an acknowledgement link to a privacy policy wherever personal data is collected, such as registration pages, contact-us forms, or marketing sign-up forms. Alternatively, the link to the privacy policy should be placed in close proximity to any disclosure of personal data. |
| Homepage and Conspicuous Links | Online Services should include clear and conspicuous links to their privacy statements in easily accessible areas. |
| Cookie Management Tool | Online Services should include a cookie management tool (often named “Privacy Choices” or “Do Not Share My Information”) allowing end-users to adjust their cookie preferences at any time. |
| Chat Features and Interactive Communications | If Online Services offer chat features or interactive forms, they should include disclaimers about recording communications content and how such content may be used or shared with third parties, including via social media and other online tracking technologies. |
| Third-Party Video Playback | Online Services that collect and share personal data on end-user interactions with embedded videos may require specific consent before sharing this data with third parties, such as advertising partners. |
| Age Gating | If Online Services collect information from minors or feature age-sensitive content, they should implement an age verification popup (age gate) requiring end-users to explicitly confirm they meet the minimum age before accessing the Online Services. |
| Biometric Data | If Online Services collect biometric data, such as facial recognition or scans (e.g., digital “try-on” features), they should require affirmative (opt-in) consent before collecting, using, or sharing the data, and include specific clauses for biometric data processing. |
| Health Data | Online Services that collect health data, such as adverse event reporting, may be required to obtain specific written consent before collecting, using, or disclosing such information. |
| Privacy Policy: Types of Personal Data Collected | A privacy statement should include a description of the types and categories of personal data processed by the organization, including data collected through website activities. |
| Privacy Policy: Data Sources | A privacy statement should outline the sources of personal data, whether derived from first-party or third-party sources. |
| Privacy Policy: How Personal Data is Used and Shared | A privacy statement should explain how the organization uses personal data in its custody and control (e.g., to provide and maintain its services, for marketing) and how it discloses such data (e.g., intra-group sharing, service providers, unaffiliated third parties, law enforcement, or during corporate restructuring). |
| Privacy Policy: Privacy Rights | A privacy statement should describe the privacy rights available to consumers, how they can exercise those rights, and how the organization processes and responds to privacy requests. |
| T&Cs: Dispute Resolution & Class Action Waivers | Online Services should include terms and conditions requiring end-users to agree (i) on how disputes will be resolved (e.g., arbitration or a designated court) and (i) to waive their right to file a class action claim. |
| T&Cs: Limitations of Liability | Online Services should include terms and conditions requiring end-users to agree to limits on the amount of damages they can claim as a result of using or accessing the Online Services. |
| T&Cs: End-User Reps | Online Services should include terms and conditions requiring end-users to confirm the minimum age threshold, have authority to be bound by the terms and conditions, and are located in appropriate jurisdictions. |
| Information Security Disclaimers |
Online Services should generally describe the security measures in place to protect personal data, how the organization will furnish legally required data incident notifications, and include a liability disclaimer for its security practices. |
| Website Accessibility | Online Services should be accessible to individuals with visual, hearing, or other sensory disabilities, in compliance with the Americans with Disabilities Act (ADA), Website Content Accessibility Guidelines (WCAG), and other website accessibility standards. |