Privacy Policies & User Agreements

[Part I of II - Click here for Part II (coming October 2009)]

From the September 2009 Issue

We’ve gotten so used to computers and the Internet that we’ve grown complacent about something that used to be second nature, especially for those in the financial sector. Perhaps willingly blind or so increasingly multi-tasked, we enter into literally dozens of legal agreements each day without even reading the fine print. In fact, most of us essentially just say, “Okay, I trust you,” without even glancing at them.

These contractually binding agreements are the end-user license agreements (EULAs), terms of service and privacy policies for all of the programs you use, whether installed on your office and home computers or accessed via the Internet. Considering how much we rely upon these technologies for so many aspects of our professional and (increasingly) even our personal lives, our complacence should not be acceptable.

It isn’t feasible, of course, for users to be required to fully read such an agreement each time they use a program just in case there has been an update to a clause or a sentence has been reworded or deleted, resulting in a notable impact on the agreement. This is just as it wouldn’t be expected of a car owner to read the owners’ manual every day, or a homeowner to read their mortgage every day. These examples are much more static, however, than is a contract related to the use of a computer program, especially hosted programs and websites. But nevertheless, we consent to these technology usage agreements multiple times per day without examining them and without concern. After all, why should we be?

Before diving in, let me acknowledge the need for these agreement types and terms of service. Companies often spend years developing unique and useful technologies, and their investments need to be protected against potential copyright infringement, misuse or potential liability the company might face if users are not made aware of their own rights and responsibilities.

For the most part, the term end-user license agreement is associated with traditionally installed software programs, whether downloaded or copied from a disc. They are generally a “contract of adhesion,” meaning that the user has the choice to take it or leave it, but has no negotiating power. They mostly set out the conditions in which the software may be used, by whom, sometimes where, and for what purposes. These contracts are much more likely to be static than web-based technology agreements, in that the user has the copy of the contract in the form it was in when the user agreed to its conditions (when they purchased or licensed it). That said, agreements for some of these programs can be altered, especially when updating the system or if the program has any online integration.

In the early years of consumer-level software development (and even occasionally to this day), the user license was often contained within the program on the disc itself, and the outer wrapping of the disc or packaging notified users that opening it meant they agreed to this, as yet unseen, contract. Believe it or not, there is no definitive court ruling on the viability of these agreements (there have been rulings in favor of both sides). Fortunately, this practice has mostly disappeared, with programs now offering the license during installation, usually requiring users to “Click Here” to consent to the terms and conditions and continue with the installation.

In the increasingly cloud-based world of hosted programs, data storage and other applications, this is the area in which I have the most concern. A program or website’s “Terms of Service” are essentially the modern version of EULAs, once again setting out the user’s contractual conditions for use of a technology. One of the most significant differences, however, is that whether the program is installed on your computer or, more likely for this type of agreement is a website or hosted program, it is considered a “service” that is subscribed to by the user, sometimes for a specific period of time. This directly takes away the ownership aspect of “buying” a new program.

I believe the more alarming prospect is the potential for changes in these agreements that alter user rights. And they do change. Earlier this year, for instance, Facebook ( caused a bit of a stir when a change in their terms of use noted that, henceforth, they would own the content that users put on Facebook pages. Facebook also claimed that the social networking site could “use your name, likeness and image for any purpose, including commercial or advertising.” They couldn’t really do this, could they? Of course they could, because its users agreed to whatever their privacy policy is every time you use their website. Faced with the mutinous users who might have quickly considered finding a replacement and also with a complaint to the FTC, Facebook abruptly reversed those policy changes.

Likewise, Google ( has been criticized by a few for the part of its business model in which it sells its users’ non-personal Internet usage information. According to their terms of use and privacy policy, they don’t directly release identifying information to third parties. But if a company with such a vast wealth of consumer and business data really wanted to, needed to for financial purposes or were acquired by a less reputable entity, they likely could, so long as they added a clause in to their usage terms … the terms that we all agree to, even though we never look at them.

Now, I’m not calling Google the big bad enemy of the people, but I do think that the ease with which service agreements can change, plus the centralized role of the web browser in our business lives, the advent of hosted operating systems and the continued evolution of Web 2.0 and “the cloud,” means that more and more of the work we process and other stuff we do will potentially be in the hands of service providers who may be able to lay claim to the content and data.


Changes in terms of service are necessary to reflect the constant evolution in technologies and how they are used. Changes were made even in the days of CD-based programs, usually coming on update CDs or notices. In the always-on digital world of Web 2.0, updates can happen at any time. For hosted programs or those updated via the Internet, when changes are made there is often a click-through consent agreement, which users continue to ignore because they are too lengthy and usually make it difficult to find the changes. For websites, web-based tools and mobile phone applications, however, changes in terms of service may be largely unnoticed until they’ve been in effect for some time.

For the most part, violations of the terms of service of a website or a hosted program will result in a warning, suspension or termination from being able to use the technology. Most technology vendors aren’t even on the lookout for minor violations that don’t affect their sales, anyway. For instance, an accountant using a free online web calculator to provide a paid client service, even if the terms prohibit it, probably won’t be noticed. Only in the rarest of cases, usually those involving larger-scale copyright infringement, illegal activities like spamming other website users, creating malicious spyware or piracy, do they seek any kind of court action.

But when it comes to client and firm data, the potential loss of access to a hosted program or technology service is an especially important concern. The technology vendors close to the tax and accounting professions are very aware of both your professional needs and the near-sanctity of your client relationships. But for some vendors outside of our sphere (perhaps some of your clients’ vendors), this understanding may not be as well-defined, nor the company as well-intentioned.

As I noted earlier, I’m in favor of user and service agreements. They help protect technology companies that have provided us with incredible advances in the workplace and in our personal lives. We simply wouldn’t have the innovations in technology that we do today if we didn’t have these agreements. Users simply need to be much more aware of what they are, what they say, what they require and what they prohibit, especially if the technology is being used for business and client service. In the fine print you will find the answers to questions such as who owns the data, is any of it shared with third parties, and can it be accessed if a subscription to the service is terminated?

The biggest challenge, of course, is that nobody has the time to read through all of such agreements (and who would want to, aside from a contract lawyer?). Fortunately, I have a potential solution that could provide an automated, due-diligence oriented method for keeping track of these changes. In October, I’ll share that idea plus discuss how privacy policies fit into the overall equation.

[Part I of II - Click here for Part II (coming October 2009)]