Online Privacy Notice
1. Introduction.
(a) Web Site Owner. [Name of Company, i.e., “CasesAI, Inc.”] (“CasesAI”) is the owner of this web site
(“casesai.com”). CasesAI can be contacted by e-mail at privacypolicy@casesai.com. This online privacy notice discloses CasesAI information practices for this
CasesAI Web Site, including what type of personal identifiable information is requested in order to make a
purchase, how the information is used, and with whom the in-formation is shared. [Note that other
CasesAI web sites may be governed by privacy notices containing different information practices
applicable to those sites.]
(b) [Anonymous] Web Site Visits. In general, you can visit on the CasesAI Web Site without disclosing any personal information. CasesAI does keep track of the domains from which
people visit us.
(c) Web Site Transactions. At times, CasesAI will need personal information regarding a customer or a
prospect. For example to process an order or provide a subscription, CasesAI may need to know a
customer’s name, mailing address, e-mail address and credit card details. It is CasesAI’s intent to inform
you know before CasesAI collects personal information, such as user’s name and/or address on the
Internet. If you tell us that you do not wish to have this information used as a basis for further contact
with you, CasesAI will respect your wishes.
2. Personal Information That May Be Collected.
(a) Identifying Information. In order [to make a purchase OR to access designated subscriber services
and /or restricted areas within casesai.com, CasesAI will request a user to provide certain personal
identifying information, which may include: [legal] name, postal address, e-mail address, [screen name,
password,] [daytime] telephone number, facsimile number, method of payment, and, if applicable,
credit card number, firm name, firm size, current use of related products or services. CasesAI may request additional information necessary to establish and maintain
customer’s account.
(b) Service Quality Monitoring. Some Web site transactions may require a customer to telephone CasesAI,
or CasesAI to call the customer. CasesAI will not contact you by telephone without your prior consent,
except to confirm an order placed online and/or to inform a customer of the status of such order.
Customer should be aware that it is CasesAI’s practice to monitor, and in some cases record such calls
for staff training or quality assurance purposes.
(c) Information from Children. CasesAI does not sell products or services for purchase by children, and will not collect or post information from a child. All use of CasesAI is limited to individuals over the age of 21.
CasesAI will notify the child’s parent or guardian at the e-mail address provided if such use is detected by the prospective customer, alerting the parent or guardian to the child’s use of the Web site and
providing instructions as to how the parent or guardian can delete the child’s registration from the Web
site. [CasesAI does not use personally identifying information collected from children for marketing or
promotional purposes, and does not disclose such information to any third party for any purpose
whatsoever.]
Page 2
(d) Lost or Stolen Information. If a customer’s [credit card and/or password] is lost or stolen, the
customer should promptly notify CasesAI in order to enable CasesAI to cancel the lost or stolen information
and to update its records with a changed [credit card and/or password].
(e) Chat Rooms, Forums and Bulletin Boards. If customer participates in an CasesAI chat room,
discussion forum, or posts messages to an CasesAI bulletin board, customer should be aware that the
information disclosed and shared will be broadly available to other persons, both inside of and/or
outside CasesAI, who have access to that chat room, forum or bulletin board. Some individual CasesAI chat
rooms, forums or bulletin boards have additional rules and conditions regarding participation. Also,
participant’s expressed opinion is his or her own and should not be considered as reflecting the opinion
of CasesAI.
(f) Links to Other Web Sites. An CasesAI Web site may contain links to other web sites. CasesAI is not
responsible for the privacy practices or the content of those other Web sites.
3. Uses Made of the Information.
(a) Limited Uses Identified. Without customer’s prior consent, CasesAI will not use your personal identifiable
information for any purpose other than that for which it is submitted. CasesAI uses personal identifiable
information to reply to inquiries, handle complaints, provide operational notices and in program recordkeeping. CasesAI also processes billing and business requests related to CasesAI Web Site participation.
(b) Marketing Uses. Unless customer marks an “x” on the opt-out option box herein provided, CasesAI
reserves the right to provide customer with information about CasesAI’s Web site, CasesAI products and
services, and related information in which customer has indicated an interest.
(c) Stored Information Uses. CasesAI stores [and retains] [the information provided by customer OR the
information entered on the CasesAI Web site]. [This information is used to compile a customer’s purchase
history in order to enable CasesAI to recommend products, services, or special offers that would be of
interest to a customer. OR Stored information is used by CasesAI [and/or CasesAI agents]: to support
customer interaction with the CasesAI Web site; to deliver customer purchases; and/or to contact customer
again about other CasesAI services and products.]
(d) Online Advertising. Some companies that help CasesAI deliver interactive on-line advertising, such as
banner ads, may collect and use information about CasesAI’s customers to help CasesAI better understand
the types of advertising or promotions that are most appealing to CasesAI’s customers. After it is
collected the information is aggregated so it is not identifiable to a specific individual. If, however,
customer would prefer that these companies not collect such information, please mark an “x” on the
opt-out option box.
4. Disclosure of the Information.
(a) Within Corporate Organization. CasesAI is a multinational organization, with legal entities, business
processes, management structures, and technical systems that cross borders. CasesAI may share your
personal information within the CasesAI corporate organization, and may transfer the information to
countries in the world where CasesAI conducts business. Some countries may provide less legal
protection for customer personal information. In such countries CasesAI will still handle customer
personal information in accordance with US standards.
(b) Mergers and Acquisitions. Circumstances may arise where for business reasons, CasesAI decides to
sell, buy, merge or otherwise reorganize its businesses in the United States or some other country.
Such a transaction may involve the disclosure of personal identifying information to prospective or
actual purchasers, and/or receiving such information from sellers. It is CasesAI’s practice to seek
appropriate protection for information in these types of transactions.
(c) Agents. CasesAI employs or engages other companies and individuals to perform business functions on
behalf of CasesAI. These persons are provided with personal identifying information required to perform
their functions, but are prohibited by contract from using the information for other purposes. These
persons engage in a variety of functions which include, but are not limited to, fulfilling orders, delivering
Page 3
packages, removing repetitive information from customer lists, analyzing data, providing marketing
assistance, processing credit card payments and providing customer services.
(d) Affiliated Businesses. CasesAI works closely with affiliated businesses operating web site stores,
providing services or selling products on each other’s Web sites. These businesses identify themselves
to customers. Customer information related to a transaction with an affiliated business is shared with
that affiliated business.
(e) Marketing Analysis by Third Parties. CasesAI reserves the right to disclose to third parties personal
information about customers for marketing analysis; however, any information disclosed will be in the
form of aggregate data that does not describe or identify an individual customer.
(f) Disclosure to Governmental Authorities. Under certain circumstances, personal information may be
subject to disclosure pursuant to a judicial or other government subpoenas, warrants or orders.
5. Use of Computer Tracking Technologies.
(a) No Tracking of Personal Information. CasesAI’s Web Site(s) are not set up to track, collect or distribute
personal information not entered by visitors. Through web site access logs CasesAI does collect
clickstream data and HTTP protocol elements, which generate certain kinds of non-identifying site
usage data, such as the number of hits and visits to our sites. This information is used for internal
purposes by technical support staff for research and development, user analysis and business decision
making, all of which provides better services to the public. The statistics garnered, which contain no
personal information and cannot be used to gather such information, may also be provided to third
parties.
(b) Use of Cookies. CasesAI, or its third party vendors, collects non-identifiable and personal information
through the use of various technologies, including “cookies”. A cookie is an alphanumeric identifier that
a Web site can transfer to customer’s hard drive through customer’s browser. The cookie is then stored
on customer’s computer as an anonymous tag that identifies the customer’s computer, but not the
customer. Cookies may be sent by CasesAI or its third party vendors. Customer can set its browser to
notify customer before a cookie is received, giving an opportunity to decide whether to accept the
cookie. Customer may also set its browser to turn off cookies; however, some Web sites may not then
work properly.
(c) Use of Web Beacon Technologies. CasesAI may also use Web beacon or other technologies to better
tailor its Web site(s) to provide better customer service. If these technologies are in use, when a visitor
accesses these pages of the Web site, a non-identifiable notice of that visit is generated which may be
processed by CasesAI or by its suppliers. Web beacons usually work in conjunction with cookies. If
customer does not want cookie information to be associated with customer’s visits to these pages,
customer can set its browser to turn off cookies; however, Web beacon and other technologies will still
detect visits to these pages, but the notices they generate cannot be associated with other nonidentifiable cookie information and are disregarded.
(d) Collection of Non-Identifiable Information. CasesAI may collect non-identifiable information from user
visits to the CasesAI Web site(s) in order to provide better customer service. Examples of such collecting
include: traffic analysis, such as tracking of the domains from which users visit, or tracking numbers of
visitors; measuring visitor activity on CasesAI Web site(s); Web site and system administration; user
analysis; and business decision making. Such information is sometimes known as “clickstream data.”
CasesAI or its contractors may use this data to analyze trends and statistics.
(e) Collection of Personal Information. CasesAI collects personal identifying information from customer
during a transaction. CasesAI may extract some personally identifying information about that transaction
in a non-identifiable format and combine it with other non-identifiable information, such as clickstream
data. This information is used and analyzed only at an aggregate level (not at an individual level) to
help CasesAI understand trends and patterns. This information is not reviewed at an individual level.
6. Information Security.
Page 4
(a) Commitment to Online Security. CasesAI employs physical, electronic and managerial procedures to
safeguard the security and integrity of personal information. Billing and payment data is encrypted
whenever transmitted or received online. Personal information is accessible only by staff designated to
handle online requests or complaints. [All CasesAI agents and contractors with access to personal
information on the CasesAI web site(s) are also bound to adhere to CasesAI security standards.]
(b) No Liability for Acts of Third Parties. CasesAI will exercise all reasonable efforts to safeguard the
confidentiality of customer personal information. However, transmissions protected by industry
standard security technology and implemented by human beings cannot be made absolutely secure.
Consequently, CasesAI shall not be liable for unauthorized disclosure of personal information due to no
fault of CasesAI including, but not limited to, errors in transmission and unauthorized acts of [CasesAI staff
and/or third parties].
7. Privacy Policy Changes and Opt-Out Rights.
(a) Changes to Privacy Policy. This privacy notice was last updated on [date]. CasesAI reserves the right to
[change OR update] its privacy policy statement at any time. A [notice of such change OR notice of any
material change] will be [prominently] posted on the CasesAI Web site [home page OR on page] for [thirty
(30) days] OR “for ___________________(_____) days] prior to the implementation of such change.
[There are two boxes at the end of CasesAI’s notice of change (1) an “I accept” box, and (2) an “I do not
accept” box. If customer does not mark the “I do not accept” box customer will [be deemed to] have
accepted CasesAI’s privacy policy updates.]
(b) Opt-Out Right. [Customer and/or prospective customer] has the right at any time to cease permitting
personal information to be collected, used or disclosed by CasesAI and/or by any third parties with whom
CasesAI has shared and/or transferred such personal information. Right of cancellation may be exercised
by contacting CasesAI via e-mail [e-mail address], telephone or [certified] postal mail. After processing
the cancellation, CasesAI will delete customer or prospective customer’s personal information from its
data base.
8. Access Rights to Data.
(a) Information Maintained by CasesAI. Upon customer’s request, CasesAI will provide a reasonable
description of customer’s personally identifiable information that CasesAI maintains in its data bank. CasesAI
can be contacted by e-mail at [provide e-mail address], telephone [provide phone number], or [certified]
postal mail [provide CasesAI address].
(b) Corrections and Changes to Personal Information. Help CasesAI to keep customer personal
information accurate. If customer’s personal information changes, or if customer notes an error upon
review of customer information that CasesAI has on file, please promptly e-mail CasesAI [provide e-mail
address] and provide the new or correct information.
(c) Your California Privacy Rights. Beginning on January 1, 2005, California Civil Code Section 1798.83
permits customers of CasesAI who are California residents to request certain information regarding CasesAI’s
disclosure of personal information for their direct marketing purposes. To make such a request, please
write to: [name and [address or e-mail address]]. Within 30 days of receiving such a request, CasesAI will
provide a list of the categories of personal information disclosed to third parties for third-party direct
marketing purposes during the immediately preceding calendar year, along with the names and
addresses of these third parties. This request may be made no more than once per calendar year.
CasesAI reserves its right not to respond to requests submitted other than to the address specified in this
paragraph.
California’s privacy laws require a company to provide notice to California users of their rights to receive
information on to which entities their information was shared for marketing purposes.
9. Accountability.
(a) Questions, Problems and Complaints. If you have a question about this policy statement, or a
complaint about CasesAI compliance with this privacy policy, you may contact CasesAI by e-mail [provide e-
Page 5
mail address]. If CasesAI is unable to resolve your complaint to your reasonable satisfaction or if
customer does not receive acknowledgment of an inquiry, customer may elect to proceed by
contacting [provide name of third party privacy service organization and information on how to contact
the organization].
(b) Terms of Use. If customer chooses [to enter into a purchase order OR to subscribe to CasesAI’s services],
customer’s action is hereby deemed acceptance of CasesAI practices described in this policy statement.
Any dispute over privacy between customer and CasesAI is subject to the provisions of this notice and to
CasesAI’s [Terms of Use Agreement OR Conditions of Use] which is hereby incorporated herein and
which can be read at [provide web site address].
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
Drafting Notes & Alternate Clauses
Online Privacy Notice
Drafting Notes
Drafting Note to Clause 1.(a)
The purpose of this clause is to create an immediate ambience of openness by providing at the outset
multiple ways of contacting CasesAI. CasesAI may have one or multiple web sites. User should be told whether
this notice applies only to this Web Site and/or to other CasesAI web sites This template is designed for a web
site engaged in online selling of products or services. The language used should be crafted to be user
friendly, while avoiding sales puffery. An additional goal is to create a balance between clarity and
ambiguous language with regard to commitment, and to contain language designed to protect the vendor
while avoiding the appearance of one-sidedness.
Drafting Note to Clause 1.(b)
Internet users are well aware of the practice of computer tracking for marketing purposes without the
knowledge or consent of the visitor. Consequently, a vendor may wish to disclose whether or not the
vendor or its agents engage in computer tracking, the parameters of the data collected, and the use made
of the collected data.
Drafting Note to Clause 1.(c)
While an opt-out option is not mandatory, it appears to put the user in control thus creating an atmosphere
of trust. In Clause 1.(c), the method of opting out is not clear. This is inadvisable. If opt-outs are offered,
how to opt-out should be made clear by the vendor. See, for example, Clauses 3.(b) and (d).
Drafting Note to Clause 1.(d)
If vendor is a member of a reputable third party certification program, disclosure clearly reinforces the user’s
trust in the vendor. If vendor does business within the EU or in a country with higher standards of privacy
than the United States, disclosure that the vendor “abides” with the foreign information privacy laws also
builds user trust in the vendor. Note that the verb “abide,” not “comply” is used.
Drafting Note to Clause 2.(a)
This clause in effect defines what this notice means by personal identifying information while leaving open
the possibility that additional information may be requested.
Drafting Note to Clause 2.(b)
Many notices do not contain a clause regarding vendor’s practices of monitoring staff telephone
transactions. While most companies disclose their monitoring practices in a recorded message to the
customer occurring prior to the telephone conversation, nevertheless, such disclosure in the privacy notice
reinforces the customer’s tacit consent to vendor monitoring and recording practices.
Drafting Note to Clause 2.(c)
The Children’s Online Privacy Protection Rule applies only to children under the age of 13, and only to
operators of web sites directed to children or a general audience web site that has a separate children’s
area. Nevertheless, it is advisable for a vendor to deal with the reality that a child may wish to purchase a
product or a service from other web sites without the knowledge of the parent or guardian. As a defensive
measure against the possibility of a complaint by a parent or guardian regarding a sale to a child customer,
many privacy notices require the active involvement of a parent or guardian in a transaction by children
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
younger than 16 or 18 years. In addition, the vendor will notify the parent or guardian of the transaction and
will make provision for the deletion of the transaction.
Drafting Note to Alternate Clause 2.(c)
While this alternative provision reflects the COPPA Rule, if the products or services sold might be of
interest to a child, such as clothing, a CD or a book, the alternative clause lacks defensive measures.
Drafting Note to Clause 2.(e)
This clause is designed to alert customers to the lack of privacy on interactive web sites, and to protect
CasesAI from unnecessary claims by a customer that the disclosures made in interactive web sites were
assumed to be private; and/or by third parties based on customer’s statements on interactive web sites.
Note that in Com. v. Proetto, the Superior Court of Pennsylvania has held that a participant in a chat room
conversation does not have a reasonable expectation of privacy in a chat room conversation.
Consequently, the court held that the forwarding of such conversations to a law enforcement official and
their admission into evidence does not violate the chatter’s constitutional rights. See Commonwealth v
Proetto, 771 A.2d 823 (Pa. Super 2001). But see Doe v. 2TheMart.Com Inc., where the court held that the
identity of chat room participants on an investor Web site need not be revealed in response to a subpoena
issued in a class action securities fraud case against 2TheMart.Com Inc. by its shareholders. The
subpoena was issued to the ISP of the chat room Web site seeking the identity of the twenty-three
anonymous chat room participants. The court held that, while the right to speak anonymously is not
unlimited, the company did not give sufficient reason for seeking the identities of the participants,
particularly as there was no direct claim against them. See Doe v. 2TheMart.Com Inc., 140 F. Supp. 2d
1088 (W.D. Wash. 2001).
Drafting Note to Clause 2.(f)
This is also a defensive provision.
Drafting Note to Clause 3.(a)
A clear statement that personally identifiable information is used only for transaction related purposes.
Drafting Note to Alternate Clause 3.(a)
If personally identifiable information will be used for purposes not transaction related, those purposes
should be disclosed. CasesAI will then have the benefit of having the customer’s tacit consent to CasesAI’s privacy
practices.
Drafting Note to Clause 3.(b)
Many privacy notices permit customers to opt-out of receiving marketing materials from the company.
Drafting Note to Alternate or Alternative Clause 3.(b)
Some notices provide that once the personal identifying information is aggregated and thereby becomes
non-identifying, that the identifying information is retained only as required for transaction related purposes.
Drafting Note to Clause 3.(d)
Opt-out boxes should be conspicuous so that the offer to opt-out is meaningful.
Drafting Note to Clause 4.(a)
Even modest-sized web site businesses tend to conduct business in more than one country. This clause
makes it clear that, although customer’s personal identifying information may be transferred across national
borders, the handling by CasesAI of personal identifying information will be uniform regardless of the laxity of
the laws of other countries.
Drafting Note to Clause 4.(b)
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
In addition to the transfers of customer information relating to mergers, acquisitions and the sale of
business assets as described in Clause 4.(b) and its Alternative Clause, personal identifying information
may be transferred during a bankruptcy proceeding. TRUSTe, a provider of online information privacy seals
of certification, has published guidelines on how personally identifiable information should be handled in the
event of one of the aforementioned legal transfers. The guidelines provide options to the customer,
including opt-in and opt-out choices, and should be carefully reviewed.
Drafting Note to Clause 4.(d)
An important provision for an online business that works with affiliated businesses.
Drafting Note to Clause 4.(e)
This clause overlaps with Clause 3.(b) which covers personal identifying information used by CasesAI or third
parties for marketing analysis. While Clause 3.(b) has an opt-out, this clause does not because the
information being used for marketing purposes is in the form of aggregate data and therefore not personally
identifying.
Drafting Note to Clause 4.(f)
Not all subpoenas are lawful as illustrated by Theofel v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003). In that
case, the plaintiffs alleged that a subpoena served upon an Internet service provider (ISP) resulted in
improper disclosure of e-mails. The case arose out of an earlier action.
In that action, the plaintiff was engaged in commercial litigation in New York against Farey-Jones. In the
course of discovery, Farey-Jones sought access to company e-mail. Consequently, his lawyer issued a
subpoena to the company’s ISP, NetGate. Under the Federal Rules, parties are admonished to “take
reasonable steps to avoid imposing undue burden or expense” on the other party. See Fed. R. Civ. P.
45(c)(1). The lawyer, however, ordered production of “[a]ll copies of emails sent or received by anyone” at
the company with no limit as to time or scope. In order to comply, the ISP offered defendants a sample of
339 messages, copies of which the ISP posted to an ISP website. Without notifying opposing counsel,
Farey-Jones read them. Most were unrelated to the litigation, and many were privileged or personal. When
plaintiff found out what had happened, the court was requested to quash the subpoena and award
sanctions, which the court did stating that the subpoena was massively overbroad and violated Federal
Rules. Farey-Jones did not appeal that award.
However, the ISP employees whose e-mail had been furnished under the subpoena sued Farey-Jones
claiming violation of the Stored Communications Act, 18 U.S.C. § 2701 et seq., the Wiretap Act, 18 U.S.C.
§§ 2510-2522, and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state laws.
The district court held that none of the federal statutes applied and dismissed the claims. The plaintiffs
appealed.
The Ninth Circuit held that: (1) the disclosure by the ISP of e-mail messages, pursuant to the invalid and
overly broad subpoena, did not constitute an “authorized” disclosure under the Stored Communications Act;
(2) e-mail messages which were delivered to recipient and stored by ISP were in “electronic storage,” under
the Stored Communications Act; (3) no “interception” occurred in violation of the Wiretap Act; (4) the
Computer Fraud and Abuse Act provided a cause of action for unauthorized access to information stored
on a third party’s computer; and (5) Noerr-Pennington immunity did not protect conduct of serving invalid
subpoena. Affirmed in part; reversed in part; remanded.
Drafting Note to Second Alternative Clause 4.(f)
While Clause 4.(f) is found in many notices, the first Alternative Clause provides greater protection for CasesAI
because it includes investigations and proceedings that have not risen to the level of a subpoena, warrant
or order. The Second Alternative Clause is broader still. Customer is dependent upon the reasonable
judgment of CasesAI as to whether the personally identifying information should be released. Also release of
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
customer’s information may be made under a host of conditions, including contract enforcement, and fraud
and credit inquiries.
Drafting Note to Clause 5.(a)
Some customers are uncomfortable with computer tracking technologies that are planted in a user’s hard
drive without the knowledge or consent of the user. This Clause and the Alternative Clause are designed to
provide assurance to such customers that CasesAI does not engage in such practices.
Drafting Note to Alternative Clause 5.(b)
Two federal district courts have addressed at length class action privacy claims by Internet users who,
without the user’s consent, had information about them gathered during a Website visit or who had cookies
stored on their computer hard drive during a Website visit.
In re DoubleClick Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), the Internet users brought class
actions against DoubleClick, an Internet advertising corporation. The users claimed that DoubleClick’s
storage of computer programs, known as “cookies,” on computer hard drives of Internet users (1) who
accessed Websites that were affiliated with DoubleClick; and (2) who accessed featured advertising of
DoubleClick’s clients, constituted violations of Electronic Communications Privacy Act (ECPA), Federal
Wiretap Act (Wiretap Act), Computer Fraud and Abuse Act (CFAA), and state law. The court held that:
As to the ECPA:
• Web sites affiliated with DoubleClick were “users” within meaning of ECPA § 2701 authorized user
exception
• The Web sites authorized DoubleClick to intercept users’ communications with sites
• ECPA protections do not extend to DoubleClick’s “cookies”
And, as to the Wiretap Act:
• Web sites’ authorization of DoubleClick’s interception of users’ communications was within consent
exception to Federal Wiretap Act
• “Criminal or tortious act” exception to Wiretap Act’s consent exception was inapplicable
And, as to the CFAA:
• Any loss actionable under CFAA is subject to Act’s damages minimum
• Damages under CFAA may only be aggregated for a single act –and–
• Alleged damages to value of users’ demographic information were not compensable economic damages
under CFAA
In re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (C.D. Cal. 2001), arose as a result of Intuit’s
implantation of cookies on computer users hard drives when the users visited one of Intuit’s Websites. The
court dismissed the Wiretap Act and the Computer Fraud and Abuse Act claims without prejudice holding
that plaintiffs had failed to sufficiently plead causes of action under these federal statutes.
In dismissing the Wiretap Act claim, the court held that the complaint failed to allege that Intuit was
motivated by a criminal or tortious purpose which is a requisite under the statute. As to the CFAA the court
held that economic damages are a necessary element of the CFAA, that plaintiffs had not provided
sufficient facts to satisfy the statutory minimum of $5,000 in economic damages, but that they should
nevertheless have the right to do so. The court, however, let stand the Electronic Communications Privacy
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
Act claim, refusing to find that Intuit as the host of the Quicken Website was authorized to grant access to
data on the plaintiff’s computers.
Drafting Note to Clause 6.(a)
This clause should only be used to the extent that it reflects actual company practices. If the company does
no more than encrypt billing and payment data then that is all that should be stated.
Drafting Note to Alternative Clause 6.(a)
A more ambiguous commitment than the principal clause, however, identifying a specific technology is not
recommended. The phraseology of the next alternative clause, “industry standard encryption technologies”
is suggested.
Drafting Note to Third Alternative Clause 6.(a):
If CasesAI decides to include minimal customer security assurances, this clause should be considered. Note:
“intends to protect,” not “protects;” also, “implements appropriate measures and processes.”
Drafting Note to Clause 6.(b)
A recommended protection against third party actions beyond the control of CasesAI.
Drafting Note to Clause 7.(a)
It is advisable that CasesAI disclose to customer that the content of this privacy notice may be changed by CasesAI
without personal notice to customer other than the posting on the CasesAI Web site. With regard to customer
acceptance of the change, CasesAI can rely on customer’s tacit acceptance based on the customer not
notifying CasesAI that the change is not acceptable and by the acts of customer in continuing to purchase from
CasesAI. The last set of bracketed language illustrates an opt-in/opt-out option for the customer. If customer
does not mark either box, tacit acceptance of the policy change is assumed. If the customer does not
accept the change, then customer has opted-out of the transactional relationship with CasesAI and has in effect
cancelled.
The last set of bracketed language illustrates an opt-in/opt-out option for the customer. If customer does not
mark either box, tacit acceptance of the policy change is assumed. If the customer does not accept the
change, then customer has opted-out of the transactional relationship with CasesAI and has in effect cancelled.
Drafting Note to Clause 9.(a)
If CasesAI is certified by a third party privacy service and/or certification organization, the customer should be
encouraged to discuss its complaint with the organization, some of which organizations will mediate a
dispute between CasesAI and the customer.
Alternate & Optional Clauses
Alternate Clause 1.(b):
(b) [Anonymous] Web Site Visits.
CasesAI collects certain information from CasesAI Web Site visitors. This includes, but is not limited to, the
home server domain name, e-mail address, type of computer and web browser, what pages visitor
accessed, and limited information about search requests. This information is used to solve technical
problems and to calculate overall usage statistics.
Alternate Clause 2.(c):
(c) Information from Children.
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
CasesAI does not collect or maintain information from users actually known to be under the age of 13, and no
part of CasesAI’s Web sites are structured to attract anyone under the age of 13.
While this alternative provision reflects the COPPA Rule, if the products or services sold might be of
interest to a child, such as clothing, a CD or a book, the alternative clause lacks defensive measures.
Alternative Clause 2.:
Lost or Stolen Information.
Help keep your personal information accurate. If a customer’s personal information has changed, please email the new information to CasesAI at the e-mail address shown in Paragraph (a). If a customer would like to
review the personal information CasesAI has in its files regarding the customer, e-mail your request to CasesAI
together with the description of a recent purchase.
Alternate Clause 3.(a):
(a) Limited Uses Identified.
Personal information collected by CasesAI will be used by CasesAI for the following purposes: [specify the
purposes, such as for statistical analysis of customer’s behavior; for product development; for content
improvement; to customize the content and layout of CasesAI’s Web site; for internal company reviews; and so
on].
If personally identifiable information will be used for purposes not transaction related, those purposes
should be disclosed. CasesAI will then have the benefit of having the customer’s tacit consent to CasesAI’s privacy
practices.
Alternate or Additional Clause 3.(b):
(b) Marketing Uses.
The information you provide to the CasesAI Web site may also be collected, used, analyzed and/or processed
by CasesAI, or selected third parties on CasesAI’s behalf, for marketing and other business purposes. Before
CasesAI uses the information, however, CasesAI will notify customers and offer customers the opportunity optout if a customer wishes not to have personal identifying information used in this way.
Some notices provide that once the personal identifying information is aggregated and thereby becomes
non-identifying, that the identifying information is retained only as required for transaction related purposes.
First Alternate Clause 4.(b):
(b) Mergers and Acquisitions.
For the purpose of developing and expanding its business, CasesAI may share, rent, sell or buy business
assets. In such transactions, customer information is generally one of the transferred business assets. Also,
in the event CasesAI is acquired, customer information will be one of the transferred assets.
Second Alternate Clause 4.(b)
(b) Mergers and Acquisitions.
CasesAI never shares, sells or rents your personal information [without prior notice to customer and the
opportunity to opt-out].
First Alternate Clause 4.(f):
(f) Disclosure to Governmental Authorities.
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
CasesAI may release personal information to appropriate governmental authorities where release is required
by law (for example, a subpoena) or by a regulation, or is requested by a government agency conducting
investigations or proceedings.
Second Alternate Clause 4.(f):
(f) Disclosure to Governmental Authorities.
CasesAI releases personal identifying information when CasesAI [reasonably] believes release is appropriate to
comply with law, to enforce CasesAI agreements, or to protect the rights, property or safety of CasesAI
customers. CasesAI may also release such information in an exchange of information with other companies
and/or organizations for the purposes of fraud protection and credit risk reduction.
While Clause 4.(f) is found in many notices, the first Alternative Clause provides greater protection for CasesAI
because it includes investigations and proceedings that have not risen to the level of a subpoena, warrant
or order. The Second Alternative Clause is broader still. Customer is dependent upon the reasonable
judgment of CasesAI as to whether the personally identifying information should be released. Also release of
customer’s information may be made under a host of conditions, including contract enforcement, and fraud
and credit inquiries.
Alternate Clause 5.(a):
(a) No Tracking of Personal Information.
CasesAI’s Web site(s) are not set up to track, collect or distribute personal information not entered by visitors.
Our site logs do generate certain kinds of non-identifying site usage data, such as the number of hits and
visits to our sites. This information is used for internal purposes by technical support staff to provide better
services to the public and may also be provided to others, but, again, the statistics contain no personal
information and cannot be used to gather such information.
Alternative Clause 5.(b):
(b) Use of Cookies.
A cookie is a small amount of data that is sent to customer’s browser from a Web server and is stored on
the computer’s hard drive. CasesAI uses non-identifying cookies to provide easier site navigation. CasesAI’s
Web site(s) can still be used if customer’s browser is set to reject cookies. CasesAI’s cookies do not generate
personal data, do not read personal data from your machine and are never tied to anything that could be
used to identify you.
Two federal district courts have addressed at length class action privacy claims by Internet users who,
without the user’s consent, had information about them gathered during a Website visit or who had cookies
stored on their computer hard drive during a Website visit.
In re DoubleClick Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), the Internet users brought class
actions against DoubleClick, an Internet advertising corporation. The users claimed that DoubleClick’s
storage of computer programs, known as “cookies,” on computer hard drives of Internet users (1) who
accessed Websites that were affiliated with DoubleClick; and (2) who accessed featured advertising of
DoubleClick’s clients, constituted violations of Electronic Communications Privacy Act (ECPA), Federal
Wiretap Act (Wiretap Act), Computer Fraud and Abuse Act (CFAA), and state law. The court held that:
As to the ECPA:
• Web sites affiliated with DoubleClick were “users” within meaning of ECPA § 2701 authorized user
exception
• The Web sites authorized DoubleClick to intercept users’ communications with sites
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
• ECPA protections do not extend to DoubleClick’s “cookies”
And, as to the Wiretap Act:
• Web sites’ authorization of DoubleClick’s interception of users’ communications was within consent
exception to Federal Wiretap Act
• “Criminal or tortious act” exception to Wiretap Act’s consent exception was inapplicable
And, as to the CFAA:
• Any loss actionable under CFAA is subject to Act’s damages minimum
• Damages under CFAA may only be aggregated for a single act –and–
• Alleged damages to value of users’ demographic information were not compensable economic damages
under CFAA
In re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (C.D. Cal. 2001), arose as a result of Intuit’s
implantation of cookies on computer users hard drives when the users visited one of Intuit’s Websites. The
court dismissed the Wiretap Act and the Computer Fraud and Abuse Act claims without prejudice holding
that plaintiffs had failed to sufficiently plead causes of action under these federal statutes.
In dismissing the Wiretap Act claim, the court held that the complaint failed to allege that Intuit was
motivated by a criminal or tortious purpose which is a requisite under the statute. As to the CFAA the court
held that economic damages are a necessary element of the CFAA, that plaintiffs had not provided
sufficient facts to satisfy the statutory minimum of $5,000 in economic damages, but that they should
nevertheless have the right to do so. The court, however, let stand the Electronic Communications Privacy
Act claim, refusing to find that Intuit as the host of the Quicken Website was authorized to grant access to
data on the plaintiff’s computers.
First Alternate Clause 6.(a):
(a) Commitment to Online Security.
CasesAI works to protect the security of customer personal information during transmission by employing
software which encrypts the information that customers and prospects input. CasesAI’s practice is to reveal
only the last five digits of customer’s credit card numbers when confirming an order. During order
processing the entire credit card number is revealed to the credit card company selected by customer.
A more ambiguous commitment than the principal clause, however, identifying a specific technology is not
recommended. The phraseology of the next alternative clause, “industry standard encryption technologies”
is suggested.
Second Alternate Clause 6.(a):
(a) Commitment to Online Security.
CasesAI uses industry standard encryption technologies when transferring and receiving personal information.
CasesAI maintains security measures in its physical [facility OR facilities] designed to protect against the loss,
misuse or alteration of information that CasesAI has collected from user.
Third Alternate Clause 6.(a):
(a) Commitment to Online Security.CasesAI intends to protect customer personal information and to maintain its quality. To achieve information
security and quality, CasesAI implements appropriate measures and processes, such as using encryption
when transmitting certain sensitive information.
If CasesAI decides to include minimal customer security assurances, this clause should be considered. Note:
“intends to protect,” not “protects;” also, “implements appropriate measures and processes.”
Alternate Clause 8.(a):
(a) Information Maintained by CasesAI.
CasesAI will provide customer with access to the following personally identifiable information: [list the
information] for the limited purpose of viewing. Go to page of this Web site and enter customer’s account
password. If customer wishes to obtain a copy of particular information that customer provided to CasesAI,
send an e-mail request to [provide e-mail address].
1. Introduction.
(a) Web Site Owner. [Name of Company, i.e., “CasesAI, Inc.”] (“CasesAI”) is the owner of this web site
(“casesai.com”). CasesAI can be contacted by e-mail at privacypolicy@casesai.com. This online privacy notice discloses CasesAI information practices for this
CasesAI Web Site, including what type of personal identifiable information is requested in order to make a
purchase, how the information is used, and with whom the in-formation is shared. [Note that other
CasesAI web sites may be governed by privacy notices containing different information practices
applicable to those sites.]
(b) [Anonymous] Web Site Visits. In general, you can visit on the CasesAI Web Site without disclosing any personal information. CasesAI does keep track of the domains from which
people visit us.
(c) Web Site Transactions. At times, CasesAI will need personal information regarding a customer or a
prospect. For example to process an order or provide a subscription, CasesAI may need to know a
customer’s name, mailing address, e-mail address and credit card details. It is CasesAI’s intent to inform
you know before CasesAI collects personal information, such as user’s name and/or address on the
Internet. If you tell us that you do not wish to have this information used as a basis for further contact
with you, CasesAI will respect your wishes.
2. Personal Information That May Be Collected.
(a) Identifying Information. In order [to make a purchase OR to access designated subscriber services
and /or restricted areas within casesai.com, CasesAI will request a user to provide certain personal
identifying information, which may include: [legal] name, postal address, e-mail address, [screen name,
password,] [daytime] telephone number, facsimile number, method of payment, and, if applicable,
credit card number, firm name, firm size, current use of related products or services. CasesAI may request additional information necessary to establish and maintain
customer’s account.
(b) Service Quality Monitoring. Some Web site transactions may require a customer to telephone CasesAI,
or CasesAI to call the customer. CasesAI will not contact you by telephone without your prior consent,
except to confirm an order placed online and/or to inform a customer of the status of such order.
Customer should be aware that it is CasesAI’s practice to monitor, and in some cases record such calls
for staff training or quality assurance purposes.
(c) Information from Children. CasesAI does not sell products or services for purchase by children, and will not collect or post information from a child. All use of CasesAI is limited to individuals over the age of 21.
CasesAI will notify the child’s parent or guardian at the e-mail address provided if such use is detected by the prospective customer, alerting the parent or guardian to the child’s use of the Web site and
providing instructions as to how the parent or guardian can delete the child’s registration from the Web
site. [CasesAI does not use personally identifying information collected from children for marketing or
promotional purposes, and does not disclose such information to any third party for any purpose
whatsoever.]
Page 2
(d) Lost or Stolen Information. If a customer’s [credit card and/or password] is lost or stolen, the
customer should promptly notify CasesAI in order to enable CasesAI to cancel the lost or stolen information
and to update its records with a changed [credit card and/or password].
(e) Chat Rooms, Forums and Bulletin Boards. If customer participates in an CasesAI chat room,
discussion forum, or posts messages to an CasesAI bulletin board, customer should be aware that the
information disclosed and shared will be broadly available to other persons, both inside of and/or
outside CasesAI, who have access to that chat room, forum or bulletin board. Some individual CasesAI chat
rooms, forums or bulletin boards have additional rules and conditions regarding participation. Also,
participant’s expressed opinion is his or her own and should not be considered as reflecting the opinion
of CasesAI.
(f) Links to Other Web Sites. An CasesAI Web site may contain links to other web sites. CasesAI is not
responsible for the privacy practices or the content of those other Web sites.
3. Uses Made of the Information.
(a) Limited Uses Identified. Without customer’s prior consent, CasesAI will not use your personal identifiable
information for any purpose other than that for which it is submitted. CasesAI uses personal identifiable
information to reply to inquiries, handle complaints, provide operational notices and in program recordkeeping. CasesAI also processes billing and business requests related to CasesAI Web Site participation.
(b) Marketing Uses. Unless customer marks an “x” on the opt-out option box herein provided, CasesAI
reserves the right to provide customer with information about CasesAI’s Web site, CasesAI products and
services, and related information in which customer has indicated an interest.
(c) Stored Information Uses. CasesAI stores [and retains] [the information provided by customer OR the
information entered on the CasesAI Web site]. [This information is used to compile a customer’s purchase
history in order to enable CasesAI to recommend products, services, or special offers that would be of
interest to a customer. OR Stored information is used by CasesAI [and/or CasesAI agents]: to support
customer interaction with the CasesAI Web site; to deliver customer purchases; and/or to contact customer
again about other CasesAI services and products.]
(d) Online Advertising. Some companies that help CasesAI deliver interactive on-line advertising, such as
banner ads, may collect and use information about CasesAI’s customers to help CasesAI better understand
the types of advertising or promotions that are most appealing to CasesAI’s customers. After it is
collected the information is aggregated so it is not identifiable to a specific individual. If, however,
customer would prefer that these companies not collect such information, please mark an “x” on the
opt-out option box.
4. Disclosure of the Information.
(a) Within Corporate Organization. CasesAI is a multinational organization, with legal entities, business
processes, management structures, and technical systems that cross borders. CasesAI may share your
personal information within the CasesAI corporate organization, and may transfer the information to
countries in the world where CasesAI conducts business. Some countries may provide less legal
protection for customer personal information. In such countries CasesAI will still handle customer
personal information in accordance with US standards.
(b) Mergers and Acquisitions. Circumstances may arise where for business reasons, CasesAI decides to
sell, buy, merge or otherwise reorganize its businesses in the United States or some other country.
Such a transaction may involve the disclosure of personal identifying information to prospective or
actual purchasers, and/or receiving such information from sellers. It is CasesAI’s practice to seek
appropriate protection for information in these types of transactions.
(c) Agents. CasesAI employs or engages other companies and individuals to perform business functions on
behalf of CasesAI. These persons are provided with personal identifying information required to perform
their functions, but are prohibited by contract from using the information for other purposes. These
persons engage in a variety of functions which include, but are not limited to, fulfilling orders, delivering
Page 3
packages, removing repetitive information from customer lists, analyzing data, providing marketing
assistance, processing credit card payments and providing customer services.
(d) Affiliated Businesses. CasesAI works closely with affiliated businesses operating web site stores,
providing services or selling products on each other’s Web sites. These businesses identify themselves
to customers. Customer information related to a transaction with an affiliated business is shared with
that affiliated business.
(e) Marketing Analysis by Third Parties. CasesAI reserves the right to disclose to third parties personal
information about customers for marketing analysis; however, any information disclosed will be in the
form of aggregate data that does not describe or identify an individual customer.
(f) Disclosure to Governmental Authorities. Under certain circumstances, personal information may be
subject to disclosure pursuant to a judicial or other government subpoenas, warrants or orders.
5. Use of Computer Tracking Technologies.
(a) No Tracking of Personal Information. CasesAI’s Web Site(s) are not set up to track, collect or distribute
personal information not entered by visitors. Through web site access logs CasesAI does collect
clickstream data and HTTP protocol elements, which generate certain kinds of non-identifying site
usage data, such as the number of hits and visits to our sites. This information is used for internal
purposes by technical support staff for research and development, user analysis and business decision
making, all of which provides better services to the public. The statistics garnered, which contain no
personal information and cannot be used to gather such information, may also be provided to third
parties.
(b) Use of Cookies. CasesAI, or its third party vendors, collects non-identifiable and personal information
through the use of various technologies, including “cookies”. A cookie is an alphanumeric identifier that
a Web site can transfer to customer’s hard drive through customer’s browser. The cookie is then stored
on customer’s computer as an anonymous tag that identifies the customer’s computer, but not the
customer. Cookies may be sent by CasesAI or its third party vendors. Customer can set its browser to
notify customer before a cookie is received, giving an opportunity to decide whether to accept the
cookie. Customer may also set its browser to turn off cookies; however, some Web sites may not then
work properly.
(c) Use of Web Beacon Technologies. CasesAI may also use Web beacon or other technologies to better
tailor its Web site(s) to provide better customer service. If these technologies are in use, when a visitor
accesses these pages of the Web site, a non-identifiable notice of that visit is generated which may be
processed by CasesAI or by its suppliers. Web beacons usually work in conjunction with cookies. If
customer does not want cookie information to be associated with customer’s visits to these pages,
customer can set its browser to turn off cookies; however, Web beacon and other technologies will still
detect visits to these pages, but the notices they generate cannot be associated with other nonidentifiable cookie information and are disregarded.
(d) Collection of Non-Identifiable Information. CasesAI may collect non-identifiable information from user
visits to the CasesAI Web site(s) in order to provide better customer service. Examples of such collecting
include: traffic analysis, such as tracking of the domains from which users visit, or tracking numbers of
visitors; measuring visitor activity on CasesAI Web site(s); Web site and system administration; user
analysis; and business decision making. Such information is sometimes known as “clickstream data.”
CasesAI or its contractors may use this data to analyze trends and statistics.
(e) Collection of Personal Information. CasesAI collects personal identifying information from customer
during a transaction. CasesAI may extract some personally identifying information about that transaction
in a non-identifiable format and combine it with other non-identifiable information, such as clickstream
data. This information is used and analyzed only at an aggregate level (not at an individual level) to
help CasesAI understand trends and patterns. This information is not reviewed at an individual level.
6. Information Security.
Page 4
(a) Commitment to Online Security. CasesAI employs physical, electronic and managerial procedures to
safeguard the security and integrity of personal information. Billing and payment data is encrypted
whenever transmitted or received online. Personal information is accessible only by staff designated to
handle online requests or complaints. [All CasesAI agents and contractors with access to personal
information on the CasesAI web site(s) are also bound to adhere to CasesAI security standards.]
(b) No Liability for Acts of Third Parties. CasesAI will exercise all reasonable efforts to safeguard the
confidentiality of customer personal information. However, transmissions protected by industry
standard security technology and implemented by human beings cannot be made absolutely secure.
Consequently, CasesAI shall not be liable for unauthorized disclosure of personal information due to no
fault of CasesAI including, but not limited to, errors in transmission and unauthorized acts of [CasesAI staff
and/or third parties].
7. Privacy Policy Changes and Opt-Out Rights.
(a) Changes to Privacy Policy. This privacy notice was last updated on [date]. CasesAI reserves the right to
[change OR update] its privacy policy statement at any time. A [notice of such change OR notice of any
material change] will be [prominently] posted on the CasesAI Web site [home page OR on page] for [thirty
(30) days] OR “for ___________________(_____) days] prior to the implementation of such change.
[There are two boxes at the end of CasesAI’s notice of change (1) an “I accept” box, and (2) an “I do not
accept” box. If customer does not mark the “I do not accept” box customer will [be deemed to] have
accepted CasesAI’s privacy policy updates.]
(b) Opt-Out Right. [Customer and/or prospective customer] has the right at any time to cease permitting
personal information to be collected, used or disclosed by CasesAI and/or by any third parties with whom
CasesAI has shared and/or transferred such personal information. Right of cancellation may be exercised
by contacting CasesAI via e-mail [e-mail address], telephone or [certified] postal mail. After processing
the cancellation, CasesAI will delete customer or prospective customer’s personal information from its
data base.
8. Access Rights to Data.
(a) Information Maintained by CasesAI. Upon customer’s request, CasesAI will provide a reasonable
description of customer’s personally identifiable information that CasesAI maintains in its data bank. CasesAI
can be contacted by e-mail at [provide e-mail address], telephone [provide phone number], or [certified]
postal mail [provide CasesAI address].
(b) Corrections and Changes to Personal Information. Help CasesAI to keep customer personal
information accurate. If customer’s personal information changes, or if customer notes an error upon
review of customer information that CasesAI has on file, please promptly e-mail CasesAI [provide e-mail
address] and provide the new or correct information.
(c) Your California Privacy Rights. Beginning on January 1, 2005, California Civil Code Section 1798.83
permits customers of CasesAI who are California residents to request certain information regarding CasesAI’s
disclosure of personal information for their direct marketing purposes. To make such a request, please
write to: [name and [address or e-mail address]]. Within 30 days of receiving such a request, CasesAI will
provide a list of the categories of personal information disclosed to third parties for third-party direct
marketing purposes during the immediately preceding calendar year, along with the names and
addresses of these third parties. This request may be made no more than once per calendar year.
CasesAI reserves its right not to respond to requests submitted other than to the address specified in this
paragraph.
California’s privacy laws require a company to provide notice to California users of their rights to receive
information on to which entities their information was shared for marketing purposes.
9. Accountability.
(a) Questions, Problems and Complaints. If you have a question about this policy statement, or a
complaint about CasesAI compliance with this privacy policy, you may contact CasesAI by e-mail [provide e-
Page 5
mail address]. If CasesAI is unable to resolve your complaint to your reasonable satisfaction or if
customer does not receive acknowledgment of an inquiry, customer may elect to proceed by
contacting [provide name of third party privacy service organization and information on how to contact
the organization].
(b) Terms of Use. If customer chooses [to enter into a purchase order OR to subscribe to CasesAI’s services],
customer’s action is hereby deemed acceptance of CasesAI practices described in this policy statement.
Any dispute over privacy between customer and CasesAI is subject to the provisions of this notice and to
CasesAI’s [Terms of Use Agreement OR Conditions of Use] which is hereby incorporated herein and
which can be read at [provide web site address].
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
Drafting Notes & Alternate Clauses
Online Privacy Notice
Drafting Notes
Drafting Note to Clause 1.(a)
The purpose of this clause is to create an immediate ambience of openness by providing at the outset
multiple ways of contacting CasesAI. CasesAI may have one or multiple web sites. User should be told whether
this notice applies only to this Web Site and/or to other CasesAI web sites This template is designed for a web
site engaged in online selling of products or services. The language used should be crafted to be user
friendly, while avoiding sales puffery. An additional goal is to create a balance between clarity and
ambiguous language with regard to commitment, and to contain language designed to protect the vendor
while avoiding the appearance of one-sidedness.
Drafting Note to Clause 1.(b)
Internet users are well aware of the practice of computer tracking for marketing purposes without the
knowledge or consent of the visitor. Consequently, a vendor may wish to disclose whether or not the
vendor or its agents engage in computer tracking, the parameters of the data collected, and the use made
of the collected data.
Drafting Note to Clause 1.(c)
While an opt-out option is not mandatory, it appears to put the user in control thus creating an atmosphere
of trust. In Clause 1.(c), the method of opting out is not clear. This is inadvisable. If opt-outs are offered,
how to opt-out should be made clear by the vendor. See, for example, Clauses 3.(b) and (d).
Drafting Note to Clause 1.(d)
If vendor is a member of a reputable third party certification program, disclosure clearly reinforces the user’s
trust in the vendor. If vendor does business within the EU or in a country with higher standards of privacy
than the United States, disclosure that the vendor “abides” with the foreign information privacy laws also
builds user trust in the vendor. Note that the verb “abide,” not “comply” is used.
Drafting Note to Clause 2.(a)
This clause in effect defines what this notice means by personal identifying information while leaving open
the possibility that additional information may be requested.
Drafting Note to Clause 2.(b)
Many notices do not contain a clause regarding vendor’s practices of monitoring staff telephone
transactions. While most companies disclose their monitoring practices in a recorded message to the
customer occurring prior to the telephone conversation, nevertheless, such disclosure in the privacy notice
reinforces the customer’s tacit consent to vendor monitoring and recording practices.
Drafting Note to Clause 2.(c)
The Children’s Online Privacy Protection Rule applies only to children under the age of 13, and only to
operators of web sites directed to children or a general audience web site that has a separate children’s
area. Nevertheless, it is advisable for a vendor to deal with the reality that a child may wish to purchase a
product or a service from other web sites without the knowledge of the parent or guardian. As a defensive
measure against the possibility of a complaint by a parent or guardian regarding a sale to a child customer,
many privacy notices require the active involvement of a parent or guardian in a transaction by children
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
younger than 16 or 18 years. In addition, the vendor will notify the parent or guardian of the transaction and
will make provision for the deletion of the transaction.
Drafting Note to Alternate Clause 2.(c)
While this alternative provision reflects the COPPA Rule, if the products or services sold might be of
interest to a child, such as clothing, a CD or a book, the alternative clause lacks defensive measures.
Drafting Note to Clause 2.(e)
This clause is designed to alert customers to the lack of privacy on interactive web sites, and to protect
CasesAI from unnecessary claims by a customer that the disclosures made in interactive web sites were
assumed to be private; and/or by third parties based on customer’s statements on interactive web sites.
Note that in Com. v. Proetto, the Superior Court of Pennsylvania has held that a participant in a chat room
conversation does not have a reasonable expectation of privacy in a chat room conversation.
Consequently, the court held that the forwarding of such conversations to a law enforcement official and
their admission into evidence does not violate the chatter’s constitutional rights. See Commonwealth v
Proetto, 771 A.2d 823 (Pa. Super 2001). But see Doe v. 2TheMart.Com Inc., where the court held that the
identity of chat room participants on an investor Web site need not be revealed in response to a subpoena
issued in a class action securities fraud case against 2TheMart.Com Inc. by its shareholders. The
subpoena was issued to the ISP of the chat room Web site seeking the identity of the twenty-three
anonymous chat room participants. The court held that, while the right to speak anonymously is not
unlimited, the company did not give sufficient reason for seeking the identities of the participants,
particularly as there was no direct claim against them. See Doe v. 2TheMart.Com Inc., 140 F. Supp. 2d
1088 (W.D. Wash. 2001).
Drafting Note to Clause 2.(f)
This is also a defensive provision.
Drafting Note to Clause 3.(a)
A clear statement that personally identifiable information is used only for transaction related purposes.
Drafting Note to Alternate Clause 3.(a)
If personally identifiable information will be used for purposes not transaction related, those purposes
should be disclosed. CasesAI will then have the benefit of having the customer’s tacit consent to CasesAI’s privacy
practices.
Drafting Note to Clause 3.(b)
Many privacy notices permit customers to opt-out of receiving marketing materials from the company.
Drafting Note to Alternate or Alternative Clause 3.(b)
Some notices provide that once the personal identifying information is aggregated and thereby becomes
non-identifying, that the identifying information is retained only as required for transaction related purposes.
Drafting Note to Clause 3.(d)
Opt-out boxes should be conspicuous so that the offer to opt-out is meaningful.
Drafting Note to Clause 4.(a)
Even modest-sized web site businesses tend to conduct business in more than one country. This clause
makes it clear that, although customer’s personal identifying information may be transferred across national
borders, the handling by CasesAI of personal identifying information will be uniform regardless of the laxity of
the laws of other countries.
Drafting Note to Clause 4.(b)
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
In addition to the transfers of customer information relating to mergers, acquisitions and the sale of
business assets as described in Clause 4.(b) and its Alternative Clause, personal identifying information
may be transferred during a bankruptcy proceeding. TRUSTe, a provider of online information privacy seals
of certification, has published guidelines on how personally identifiable information should be handled in the
event of one of the aforementioned legal transfers. The guidelines provide options to the customer,
including opt-in and opt-out choices, and should be carefully reviewed.
Drafting Note to Clause 4.(d)
An important provision for an online business that works with affiliated businesses.
Drafting Note to Clause 4.(e)
This clause overlaps with Clause 3.(b) which covers personal identifying information used by CasesAI or third
parties for marketing analysis. While Clause 3.(b) has an opt-out, this clause does not because the
information being used for marketing purposes is in the form of aggregate data and therefore not personally
identifying.
Drafting Note to Clause 4.(f)
Not all subpoenas are lawful as illustrated by Theofel v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003). In that
case, the plaintiffs alleged that a subpoena served upon an Internet service provider (ISP) resulted in
improper disclosure of e-mails. The case arose out of an earlier action.
In that action, the plaintiff was engaged in commercial litigation in New York against Farey-Jones. In the
course of discovery, Farey-Jones sought access to company e-mail. Consequently, his lawyer issued a
subpoena to the company’s ISP, NetGate. Under the Federal Rules, parties are admonished to “take
reasonable steps to avoid imposing undue burden or expense” on the other party. See Fed. R. Civ. P.
45(c)(1). The lawyer, however, ordered production of “[a]ll copies of emails sent or received by anyone” at
the company with no limit as to time or scope. In order to comply, the ISP offered defendants a sample of
339 messages, copies of which the ISP posted to an ISP website. Without notifying opposing counsel,
Farey-Jones read them. Most were unrelated to the litigation, and many were privileged or personal. When
plaintiff found out what had happened, the court was requested to quash the subpoena and award
sanctions, which the court did stating that the subpoena was massively overbroad and violated Federal
Rules. Farey-Jones did not appeal that award.
However, the ISP employees whose e-mail had been furnished under the subpoena sued Farey-Jones
claiming violation of the Stored Communications Act, 18 U.S.C. § 2701 et seq., the Wiretap Act, 18 U.S.C.
§§ 2510-2522, and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state laws.
The district court held that none of the federal statutes applied and dismissed the claims. The plaintiffs
appealed.
The Ninth Circuit held that: (1) the disclosure by the ISP of e-mail messages, pursuant to the invalid and
overly broad subpoena, did not constitute an “authorized” disclosure under the Stored Communications Act;
(2) e-mail messages which were delivered to recipient and stored by ISP were in “electronic storage,” under
the Stored Communications Act; (3) no “interception” occurred in violation of the Wiretap Act; (4) the
Computer Fraud and Abuse Act provided a cause of action for unauthorized access to information stored
on a third party’s computer; and (5) Noerr-Pennington immunity did not protect conduct of serving invalid
subpoena. Affirmed in part; reversed in part; remanded.
Drafting Note to Second Alternative Clause 4.(f)
While Clause 4.(f) is found in many notices, the first Alternative Clause provides greater protection for CasesAI
because it includes investigations and proceedings that have not risen to the level of a subpoena, warrant
or order. The Second Alternative Clause is broader still. Customer is dependent upon the reasonable
judgment of CasesAI as to whether the personally identifying information should be released. Also release of
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
customer’s information may be made under a host of conditions, including contract enforcement, and fraud
and credit inquiries.
Drafting Note to Clause 5.(a)
Some customers are uncomfortable with computer tracking technologies that are planted in a user’s hard
drive without the knowledge or consent of the user. This Clause and the Alternative Clause are designed to
provide assurance to such customers that CasesAI does not engage in such practices.
Drafting Note to Alternative Clause 5.(b)
Two federal district courts have addressed at length class action privacy claims by Internet users who,
without the user’s consent, had information about them gathered during a Website visit or who had cookies
stored on their computer hard drive during a Website visit.
In re DoubleClick Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), the Internet users brought class
actions against DoubleClick, an Internet advertising corporation. The users claimed that DoubleClick’s
storage of computer programs, known as “cookies,” on computer hard drives of Internet users (1) who
accessed Websites that were affiliated with DoubleClick; and (2) who accessed featured advertising of
DoubleClick’s clients, constituted violations of Electronic Communications Privacy Act (ECPA), Federal
Wiretap Act (Wiretap Act), Computer Fraud and Abuse Act (CFAA), and state law. The court held that:
As to the ECPA:
• Web sites affiliated with DoubleClick were “users” within meaning of ECPA § 2701 authorized user
exception
• The Web sites authorized DoubleClick to intercept users’ communications with sites
• ECPA protections do not extend to DoubleClick’s “cookies”
And, as to the Wiretap Act:
• Web sites’ authorization of DoubleClick’s interception of users’ communications was within consent
exception to Federal Wiretap Act
• “Criminal or tortious act” exception to Wiretap Act’s consent exception was inapplicable
And, as to the CFAA:
• Any loss actionable under CFAA is subject to Act’s damages minimum
• Damages under CFAA may only be aggregated for a single act –and–
• Alleged damages to value of users’ demographic information were not compensable economic damages
under CFAA
In re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (C.D. Cal. 2001), arose as a result of Intuit’s
implantation of cookies on computer users hard drives when the users visited one of Intuit’s Websites. The
court dismissed the Wiretap Act and the Computer Fraud and Abuse Act claims without prejudice holding
that plaintiffs had failed to sufficiently plead causes of action under these federal statutes.
In dismissing the Wiretap Act claim, the court held that the complaint failed to allege that Intuit was
motivated by a criminal or tortious purpose which is a requisite under the statute. As to the CFAA the court
held that economic damages are a necessary element of the CFAA, that plaintiffs had not provided
sufficient facts to satisfy the statutory minimum of $5,000 in economic damages, but that they should
nevertheless have the right to do so. The court, however, let stand the Electronic Communications Privacy
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
Act claim, refusing to find that Intuit as the host of the Quicken Website was authorized to grant access to
data on the plaintiff’s computers.
Drafting Note to Clause 6.(a)
This clause should only be used to the extent that it reflects actual company practices. If the company does
no more than encrypt billing and payment data then that is all that should be stated.
Drafting Note to Alternative Clause 6.(a)
A more ambiguous commitment than the principal clause, however, identifying a specific technology is not
recommended. The phraseology of the next alternative clause, “industry standard encryption technologies”
is suggested.
Drafting Note to Third Alternative Clause 6.(a):
If CasesAI decides to include minimal customer security assurances, this clause should be considered. Note:
“intends to protect,” not “protects;” also, “implements appropriate measures and processes.”
Drafting Note to Clause 6.(b)
A recommended protection against third party actions beyond the control of CasesAI.
Drafting Note to Clause 7.(a)
It is advisable that CasesAI disclose to customer that the content of this privacy notice may be changed by CasesAI
without personal notice to customer other than the posting on the CasesAI Web site. With regard to customer
acceptance of the change, CasesAI can rely on customer’s tacit acceptance based on the customer not
notifying CasesAI that the change is not acceptable and by the acts of customer in continuing to purchase from
CasesAI. The last set of bracketed language illustrates an opt-in/opt-out option for the customer. If customer
does not mark either box, tacit acceptance of the policy change is assumed. If the customer does not
accept the change, then customer has opted-out of the transactional relationship with CasesAI and has in effect
cancelled.
The last set of bracketed language illustrates an opt-in/opt-out option for the customer. If customer does not
mark either box, tacit acceptance of the policy change is assumed. If the customer does not accept the
change, then customer has opted-out of the transactional relationship with CasesAI and has in effect cancelled.
Drafting Note to Clause 9.(a)
If CasesAI is certified by a third party privacy service and/or certification organization, the customer should be
encouraged to discuss its complaint with the organization, some of which organizations will mediate a
dispute between CasesAI and the customer.
Alternate & Optional Clauses
Alternate Clause 1.(b):
(b) [Anonymous] Web Site Visits.
CasesAI collects certain information from CasesAI Web Site visitors. This includes, but is not limited to, the
home server domain name, e-mail address, type of computer and web browser, what pages visitor
accessed, and limited information about search requests. This information is used to solve technical
problems and to calculate overall usage statistics.
Alternate Clause 2.(c):
(c) Information from Children.
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
CasesAI does not collect or maintain information from users actually known to be under the age of 13, and no
part of CasesAI’s Web sites are structured to attract anyone under the age of 13.
While this alternative provision reflects the COPPA Rule, if the products or services sold might be of
interest to a child, such as clothing, a CD or a book, the alternative clause lacks defensive measures.
Alternative Clause 2.:
Lost or Stolen Information.
Help keep your personal information accurate. If a customer’s personal information has changed, please email the new information to CasesAI at the e-mail address shown in Paragraph (a). If a customer would like to
review the personal information CasesAI has in its files regarding the customer, e-mail your request to CasesAI
together with the description of a recent purchase.
Alternate Clause 3.(a):
(a) Limited Uses Identified.
Personal information collected by CasesAI will be used by CasesAI for the following purposes: [specify the
purposes, such as for statistical analysis of customer’s behavior; for product development; for content
improvement; to customize the content and layout of CasesAI’s Web site; for internal company reviews; and so
on].
If personally identifiable information will be used for purposes not transaction related, those purposes
should be disclosed. CasesAI will then have the benefit of having the customer’s tacit consent to CasesAI’s privacy
practices.
Alternate or Additional Clause 3.(b):
(b) Marketing Uses.
The information you provide to the CasesAI Web site may also be collected, used, analyzed and/or processed
by CasesAI, or selected third parties on CasesAI’s behalf, for marketing and other business purposes. Before
CasesAI uses the information, however, CasesAI will notify customers and offer customers the opportunity optout if a customer wishes not to have personal identifying information used in this way.
Some notices provide that once the personal identifying information is aggregated and thereby becomes
non-identifying, that the identifying information is retained only as required for transaction related purposes.
First Alternate Clause 4.(b):
(b) Mergers and Acquisitions.
For the purpose of developing and expanding its business, CasesAI may share, rent, sell or buy business
assets. In such transactions, customer information is generally one of the transferred business assets. Also,
in the event CasesAI is acquired, customer information will be one of the transferred assets.
Second Alternate Clause 4.(b)
(b) Mergers and Acquisitions.
CasesAI never shares, sells or rents your personal information [without prior notice to customer and the
opportunity to opt-out].
First Alternate Clause 4.(f):
(f) Disclosure to Governmental Authorities.
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
CasesAI may release personal information to appropriate governmental authorities where release is required
by law (for example, a subpoena) or by a regulation, or is requested by a government agency conducting
investigations or proceedings.
Second Alternate Clause 4.(f):
(f) Disclosure to Governmental Authorities.
CasesAI releases personal identifying information when CasesAI [reasonably] believes release is appropriate to
comply with law, to enforce CasesAI agreements, or to protect the rights, property or safety of CasesAI
customers. CasesAI may also release such information in an exchange of information with other companies
and/or organizations for the purposes of fraud protection and credit risk reduction.
While Clause 4.(f) is found in many notices, the first Alternative Clause provides greater protection for CasesAI
because it includes investigations and proceedings that have not risen to the level of a subpoena, warrant
or order. The Second Alternative Clause is broader still. Customer is dependent upon the reasonable
judgment of CasesAI as to whether the personally identifying information should be released. Also release of
customer’s information may be made under a host of conditions, including contract enforcement, and fraud
and credit inquiries.
Alternate Clause 5.(a):
(a) No Tracking of Personal Information.
CasesAI’s Web site(s) are not set up to track, collect or distribute personal information not entered by visitors.
Our site logs do generate certain kinds of non-identifying site usage data, such as the number of hits and
visits to our sites. This information is used for internal purposes by technical support staff to provide better
services to the public and may also be provided to others, but, again, the statistics contain no personal
information and cannot be used to gather such information.
Alternative Clause 5.(b):
(b) Use of Cookies.
A cookie is a small amount of data that is sent to customer’s browser from a Web server and is stored on
the computer’s hard drive. CasesAI uses non-identifying cookies to provide easier site navigation. CasesAI’s
Web site(s) can still be used if customer’s browser is set to reject cookies. CasesAI’s cookies do not generate
personal data, do not read personal data from your machine and are never tied to anything that could be
used to identify you.
Two federal district courts have addressed at length class action privacy claims by Internet users who,
without the user’s consent, had information about them gathered during a Website visit or who had cookies
stored on their computer hard drive during a Website visit.
In re DoubleClick Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), the Internet users brought class
actions against DoubleClick, an Internet advertising corporation. The users claimed that DoubleClick’s
storage of computer programs, known as “cookies,” on computer hard drives of Internet users (1) who
accessed Websites that were affiliated with DoubleClick; and (2) who accessed featured advertising of
DoubleClick’s clients, constituted violations of Electronic Communications Privacy Act (ECPA), Federal
Wiretap Act (Wiretap Act), Computer Fraud and Abuse Act (CFAA), and state law. The court held that:
As to the ECPA:
• Web sites affiliated with DoubleClick were “users” within meaning of ECPA § 2701 authorized user
exception
• The Web sites authorized DoubleClick to intercept users’ communications with sites
| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2023 LexisNexis
• ECPA protections do not extend to DoubleClick’s “cookies”
And, as to the Wiretap Act:
• Web sites’ authorization of DoubleClick’s interception of users’ communications was within consent
exception to Federal Wiretap Act
• “Criminal or tortious act” exception to Wiretap Act’s consent exception was inapplicable
And, as to the CFAA:
• Any loss actionable under CFAA is subject to Act’s damages minimum
• Damages under CFAA may only be aggregated for a single act –and–
• Alleged damages to value of users’ demographic information were not compensable economic damages
under CFAA
In re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (C.D. Cal. 2001), arose as a result of Intuit’s
implantation of cookies on computer users hard drives when the users visited one of Intuit’s Websites. The
court dismissed the Wiretap Act and the Computer Fraud and Abuse Act claims without prejudice holding
that plaintiffs had failed to sufficiently plead causes of action under these federal statutes.
In dismissing the Wiretap Act claim, the court held that the complaint failed to allege that Intuit was
motivated by a criminal or tortious purpose which is a requisite under the statute. As to the CFAA the court
held that economic damages are a necessary element of the CFAA, that plaintiffs had not provided
sufficient facts to satisfy the statutory minimum of $5,000 in economic damages, but that they should
nevertheless have the right to do so. The court, however, let stand the Electronic Communications Privacy
Act claim, refusing to find that Intuit as the host of the Quicken Website was authorized to grant access to
data on the plaintiff’s computers.
First Alternate Clause 6.(a):
(a) Commitment to Online Security.
CasesAI works to protect the security of customer personal information during transmission by employing
software which encrypts the information that customers and prospects input. CasesAI’s practice is to reveal
only the last five digits of customer’s credit card numbers when confirming an order. During order
processing the entire credit card number is revealed to the credit card company selected by customer.
A more ambiguous commitment than the principal clause, however, identifying a specific technology is not
recommended. The phraseology of the next alternative clause, “industry standard encryption technologies”
is suggested.
Second Alternate Clause 6.(a):
(a) Commitment to Online Security.
CasesAI uses industry standard encryption technologies when transferring and receiving personal information.
CasesAI maintains security measures in its physical [facility OR facilities] designed to protect against the loss,
misuse or alteration of information that CasesAI has collected from user.
Third Alternate Clause 6.(a):
(a) Commitment to Online Security.CasesAI intends to protect customer personal information and to maintain its quality. To achieve information
security and quality, CasesAI implements appropriate measures and processes, such as using encryption
when transmitting certain sensitive information.
If CasesAI decides to include minimal customer security assurances, this clause should be considered. Note:
“intends to protect,” not “protects;” also, “implements appropriate measures and processes.”
Alternate Clause 8.(a):
(a) Information Maintained by CasesAI.
CasesAI will provide customer with access to the following personally identifiable information: [list the
information] for the limited purpose of viewing. Go to page of this Web site and enter customer’s account
password. If customer wishes to obtain a copy of particular information that customer provided to CasesAI,
send an e-mail request to [provide e-mail address].