This seems to keep coming up, so maybe spending a little time on the subject might be helpful.
The security or privacy team creates this form for users to acknowledge something or approve something and then hand it off. Marketing gets in the middle of it to make it look pretty. Developers then take a few shortcuts to get it done on time.
Problem solved. Or is it?
Eventbrite was involved in a dispute with a customer. They wanted to invoke the arbitration clause in their terms of service. Okay. So far, so good.
But they run three versions of their application: A desktop website. A mobile website and a mobile app. They all had a terms of service acknowledgement, so are we still good?
Here is where they got into trouble.
Three platforms, three different acknowledgement forms.
Three different color schemes.
Three different button locations.
Then when they went to court they close cropped the screen shot hoping the judge wouldn’t figure out there was a whole bunch of distracting stuff next to the terms of service link.
Did marketing intentionally reduce the contrast of the link so people would not actually read what they were agreeing to?
Then there is the issue of the fact that there were, over the years, multiple versions of that screen.
So here is a question for you to ponder.
COULD YOU TELL A COURT WHAT VERSION OF THE RELEVANT SCREEN WAS IN PRODUCTION AT THE TIME THE USER AGREED TO THE TERMS?
I didn’t think so.
Then there is the issue of which platform the user agreed to the terms on.
COULD YOU TELL A COURT WHICH PLATFORM A USER AGREED TO YOUR TERMS ON?
Then there is the issue of time.
In this case the user signed up 5 years ago.
So what you need to do is know what version of the software was running whichever platform the user was on at the time the user actually acknowledged whatever it is you are concerned about and keep track of that for say, 5 years or 10 years or more. You need to be able to produce a visual image of what the screen actually looked like, including colors and positions. For each platform.
Are you good?
Oh, yeah, one more thing. Are your log files forensically sound? Could you swear under oath that the data that you had could not have been manipulated or even accidentally changed by a DBA or admin? Do you even keep logs for long enough? Do you collect all of the right data? You get the idea.
For the legal version of this conversation, read Professor Goldman’s blog here, but you probably have enough of a headache now.
Likely, you need to partner with your legal team to make sure that you get this right. It basically cost Eventbrite their case.
Could you defend your case if you had to?