You Can't Hide Behind Your EULA

Cooley Alert
February 22, 2016

Companies trying to shift liability for data breach by hiding catch-all exclusion clauses in End User Licence Agreements (EULAs) can learn from one company's latest antics.

What's happened?

At the end of last year, Toy company VTech was subject to a data security breach which cost them the data of 6.3 million children and and 4.8 million parents. The data compromised included photos, voice messages and chat conversations between the adults and their children. Since the breach, VTech changed its Learning Lodge Software's EULA to include an exclusion of its liability for data breach, shifting the burden to parents to assume full responsibility for using its software:

"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk."

What's the big deal?

Apart from being a bit mean, it goes against the basic principles of data protection and consumer law in the UK. The Data Protection Directive 95/46 EC places obligations on the data controllers and processors to take appropriate steps to protect the information from unauthorised disclosure or access, the burden is not on the data subject. Further, the Consumer Rights Act 2015 ("the Act") was drafted with the aim of increasing fairness and transparency for consumers, which includes in respect of digital content. The Act "greylists" certain limitations of liability and considers "transferring inappropriate risks to consumers" unfair and potentially unenforceable. Were this clause to be analysed in conjunction with the Act, it is unlikely the Competition and Markets Authority and/or Trading Standards would let this slip thought the net.

What now?

In response, the ICO stated that when handling people's personal data, organisations are responsible for keeping that data secure. It is unclear whether there will be formal consequences for VTech, but if they do not change the wording, they could come under further scrutiny. Currently, the ICO can impose limited fines. However, under the upcoming General Data Protection Regulation, the maximum fine for a breach of data protection law would rise to up to 4% of a company's worldwide turnover.

Organisations need to take care when drafting EULA and similar terms; blanket exclusions of liability which place unfair burdens on the consumer are likely to be seen as illegal and unenforceable and could have serious repercussions.

If you'd like further information or advice on your EULA or other consumer-facing terms, please contact one of the authors.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.