In re Zappos.com, Inc., Customer Data Security Breach Litigation

Background

Zappos has a customer base of over 24 million people. In January 2012, Zappos suffered a data security breach that gave hackers personal information of their customers. While the security breach exposed names, addresses, and phone numbers of Zappos customers, it did not expose the customers' credit card information. After Zappos became aware of the security breach, Zappos sent an email to its customers notifying them of the security breach and advised that they change their login credentials on the site.

Several Zappos customers independently filed suit against Zappos claiming that their business model did not protect the valuable information of their customers. Plaintiffs listed twelve causes of action for the suit accusing Zappos of not taking adequate measures to safeguard customers' personally identifiable information. By June 2012, there were nine lawsuits in progress, originating from five court districts.

After the lawsuits multiplied, Zappos moved to consolidate these pre-trial proceedings into a centralized forum. The Judicial Panel on Multidistrict Litigation agreed that centralization would help move the cases along by avoiding duplicate work. The most time-saving implementation being a resolution of the facts involved in the case and series of events leading to and following the security breach. Because of the location of the plaintiffs, many suggested their home districts for the centralized proceedings: the District of Nevada, the Western District of Kentucky, the Southern District of Florida, and the District of Massachusetts. The Judicial Panel concluded that the District of Nevada was most appropriate because the breached Zappos servers and their administrators were based in Hendersonville, Nevada.

On 14 June 2012, Zappos filed a motion to compel arbitration and stay action. Such a motion would require that the Court stop proceedings on the consolidated suits that were arranged to take place in a single class action. Zappos would now require each individual plaintiff to go through an arbitration process. This motion was held in a clause in Zappos's terms of use, which declared that disputes shall be resolved through confidential arbitration.

Any dispute relating in any way to your visit to the Site ... shall be submitted to confidential arbitration in Las Vegas, Nevada, .... You hereby consent to, and waive all defense of lack of personal jurisdiction in the state and federal courts of Nevada.

Zappos argued that its customers were required to go through arbitration instead of personal jurisdiction because they automatically agreed to the terms of use when they used the Zappos.com website. Browsewrap agreements such as this are created when the user does not have to click a button or check a box to indicate that they have accepted the terms of service for a particular website.

ACCESSING, BROWSING, OR OTHERWISE USING THE SITE INDICATES YOUR AGREEMENT TO ALL THE TERMS AND CONDITIONS IN THIS AGREEMENT

The difference between a clickwrap agreement and a browsewrap agreement is that in a browsewrap agreement, the visitor to a site accepts the terms of service simply by visiting the website.

Opinion of the Court

The Court denied Zappos's motion to compel arbitration and stay action for two reasons: 1. the plaintiffs did not assent to the terms of use, and 2. the arbitration requirement is unenforceable.

The Court started by citing the Federal Arbitration Act and pointed out that the right to compel arbitration relied on a valid contract, which that element was highly contested. Judge Jones cited several cases supporting the procedure of determining whether the parties formed a contract before deciding whether or not to compel arbitration including Chiron Corp. v. Ortho Diagnostics Sys., Inc., 207 F.3d 1126 (2000). In other words, the right to compel arbitration requires an enforceable contract, and an enforceable contract requires mutual assent. This brought the nature of Zappos's terms of use into question and whether the user had actually entered a contract with Zappos under the browsewrap agreement.

In a browsewrap agreement, the user must know of the website's terms and conditions in order to accept them. The Court points out that on the Zappos website, a link to the terms of use is towards the bottom of each page; "when the Zappos.com homepages is printed to hard copy, the link appears on page 3 of 4." The link did not have any distinguishing features that set it apart from surrounding links. This embedding of terms did not make it reasonably obvious to the user where and how to find the terms, indicating the user experience was flawed. Additionally, the site did not give special mention of the terms of use when a user would sign up, log in, or make a purchase, further indicating that there was no mutual agreement once the user gave Zappos personal and private information. From this, the Court concluded that the Plaintiffs may not have known about the terms of use, arguing that "No reasonable user" would have clicked the link.

The Court also highlighted a clause in Zappos's terms of use, which declared, "We reserve the right to change this Site and these terms and conditions at any time." This would give Zappos the right to choose whether to pursue arbitration, and its customers would be bound by its decision automatically. The Court wrote that this kind of agreement would give Zappos an "escape hatch" that it could use "if it determined arbitration was no longer in its interest." Because of this, the Court found that the arbitration agreement is illusory and would not be enforced in this case.

Zappos argued that, under the equitable estoppel doctrine, the plaintiffs may not sue for breach of contract trying to avoid the terms of use by not submitting to arbitration. The Court declined to apply the doctrine, stating that the plaintiffs were not aware of the terms of use, and they were suing based on "other statements and guarantees found on the website."

Subsequent developments

Zappos did not make any changes to its terms of use following the Court decision. Law blogger William Carleton reported on 8 November 2012, two months after the decision, that Zappos's terms of use was identical to an archived copy from May 2011. Carleton also tried registering for the site and placing an order. He noted that there was still no salient presentation of the terms of service nor any dedicated "accept" button.

On 9 September 2013, the Court dismissed most of the common law claims against Zappos. The Court also dismissed a few of the statutory claims, some with leave to amend.

Commentary from law blogs

Many law blogs posted advisories to businesses in response to this decision. One common theme was the recommendation of clickwrap over browserwrap, in which the site explicitly obtains assent when a user clicks an "accept" button. Another common recommendation was for businesses to revise or remove any language from its terms of use that would allow it to change the terms of use without notice.

Law firm Lewis Roca Rothgerber pointed out that this decision does not declare all browsewrap contracts unenforceable. This case decided that Zappos's particular implementation of their terms of use, and the arbitration clause in particular were unenforceable. The law firm stated that browsewrap agreements have been enforced in other courts. It also suggests that businesses that want to continue to use browsewrap agreements should provide a conspicuous link to their agreements, "Front and Center."

Law firm Stanfield Hiserodt suggested that the size of the case, with 24 million claimants in the class action, may have played a role in the decision. Stanfield drew attention to the impossibility of having all 24 million individuals visit Nevada for arbitration.