Does Your Website Comply With U.S. Law and The Implications if it Does Not

It is no surprise that many Canadian companies sell into the United States by way of the Internet.  But what may be surprising is that many of those companies don’t bother to revise their website for compliance with U.S. laws, including U.S. privacy law and the Americans With Disability Act (“ADA”).

While the ADA laudably strives for equity for disabled Americans, plaintiff’s attorneys have seized upon ADA website accessibility requirements, including those for individuals with visual and hearing impairments, as a way to make money, through the filing of what one influential court recently characterized as “Mad-libs-style” legal complaints.  There are a number of attorneys who search the internet for non-compliance and then have a disabled person (the erstwhile plaintiff) try to access the website.  This is followed by a standard letter from the attorney to the company stating that their disabled client has been disadvantaged by this failure and is seeking damages under the ADA and parallel state laws.

If your company does business with U.S. consumers, you are potentially at risk.  It may not even matter whether you have a subsidiary or physical presence in the United States or not.  And achieving and maintaining continued compliance can be difficult, given that websites are technically complex and subject to constant revision.  Fortunately, there are a number of defenses that can help deter unscrupulous lawsuits launched by serial plaintiffs who file cookie-cutter or carbon copy lawsuits.  These include “standing.”  For example, a plaintiff may be precluded from bringing suit unless they have plausibly alleged, under the totality of the circumstances, a real and immediate threat of future injury.  It is not enough for a plaintiff simply to allege in conclusory fashion an intent to return to the website to purchase something.  Similarly, some courts may dismiss a matter as “moot” if the defendant promptly acts to resolve the alleged deficiency and can demonstrate that the risk of reoccurrence is low.  There are also other nuances in how the ADA is interpreted by various courts that our experienced and skilled litigation attorneys can help turn to your advantage in order to resolve any claims advantageously.

With respect to data privacy and security laws, a key area for compliance with U.S. law is to ensure your company has a privacy policy conspicuously posted on its website and that its terms are followed.  In the U.S., the Federal Trade Commission has taken the position that failure to have, and adhere to, a privacy policy can be an unfair and deceptive act or practice in violation of Section 5 of the Federal Trade Commission Act.  (A privacy policy is also a “best practice” in the U.S. and failure to have, and adhere to, one could result in a claim for negligence.)  Moreover, companies doing business in the U.S. should know that there is no federal data privacy legislation, although Congress is currently working on such legislation.  Instead, a handful of states have enacted data privacy and security legislation, and all fifty states have breach notification laws.  Businesses must be aware of and comply with these laws.

If you are doing business in the U.S., you should also consider “Americanizing” your website’s terms of use.  The key areas for revision include, but are not limited to, limitations of liability, warranties, and other disclaimers that can impact your company’s legal liability.  You will also want to present the terms of use on your website in a manner that results in a contract being created between your company and the client.

If you are concerned that your website is not U.S. compliant, do not hesitate to contact Patrick E. Fitzsimmons, George J. Eydt, Gary M. Schober, Joshua Feinstein, or any other member of the Cross-Border or Cybersecurity & Privacy Law Groups at Hodgson Russ LLP.