Did You Agree to Share Your Home Wi-Fi Network?
On June 6, 2021, Amazon launched, and automatically enrolled users with compatible devices into, “Sidewalk,” its new internet-sharing wireless mesh network. Sidewalk crowdsources data and bandwidth from home Wi-Fi connections via Amazon Echo smart speakers and smart displays, Ring devices, and Tile trackers. If you have these devices in your home, your internet bandwidth is likely now being shared to help other Sidewalk devices that are in range—like a neighbor’s Echo—connect to the internet.
Amazon is following the path forged by Comcast’s Xfinity unit with “xfinitywifi.” Since 2014, Xfinity customers have had access to a widespread public Wi-Fi SSID outside of their home. This public Wi-Fi network, named “xfinitywifi,” is made possible by customers accessing routers that other Xfinity customers lease from Comcast.
Despite criticism of the potential security and privacy concerns,[1] customers are automatically enrolled in these programs without a separate contract. Most customers don’t realize they are sharing their Wi-Fi, much less of the need to opt out of it.[2]
Automatic Opt-In Contracts
Amazon binds users of Echo, Ring, and other devices to Sidewalk’s terms with a “sign-in-wrap” agreement when they log into their account. That the consent is buried in their device contracts would surprise most users, not to mention their automatic opt-in to Wi-Fi sharing just by continuing to use their device. Similarly, many Xfinity customers are likely unaware they are sharing the Wi-Fi generated by their leased modem via the public “xfinitywifi” channel.
There is widespread concern about, and proposed legislative limitations on, automatic opt-ins that may affect the privacy of consumers’ personal information.[3] However, there is much less discussion about whether automatic opt-in to unrelated terms in connection with an online purchase of goods or services is (or should be) enforceable.
Most online purchases of goods or services are just as legal and enforceable as traditional paper-and-ink contracts, thanks to the federal Electronic Signatures in Global and National Commerce Act (ESIGN).[4] In addition, most states have adopted either the Uniform Electronics Transactions Act (UETA) or their own e-signature laws that confirm the legal validity of electronic signatures and contracts. (see, e.g., Colo. Rev. Stat. § 24-71.3-103). Online consumers nowadays consent to contractual terms with an electronic signature or, most commonly, by clicking an “I accept” button. Neither UETA nor ESIGN, however, provide specific guidance on the limitations of passive consent and automatic opt-ins so it is left to the courts, applying traditional contractual principles, to determine their validity and enforceability in specific situations.
Courts generally focus on whether the user had reasonable notice of the terms, actual or constructive, and the extent to which there was express assent.[5] Some courts put the responsibility on the consumer to read and understand the terms, and accept the notion that clicking “I agree” or continuing to use the platform is binding acceptance of the terms, whether read or not.[6] Other courts have found it unreasonable to bind a consumer to terms they were never prompted to read or, in some cases, required to read.[7]
In Berkson v. Gogo LLC,[8] when the user “signed up,” Gogo automatically enrolled them in a recurring service, rather than for a single month as the plaintiff alleged. The federal district court in Berkson concluded that Gogo’s website and sign-in screen, which requested the user’s username and password, and underneath the text: “By clicking ‘Sign in’ I agree to the terms of use and privacy policy,” did not give the user sufficient notice of the terms. Forced to apply a confusing combination of New York, California, and Illinois contracts law, the Berkson court used a four-part test (1) Is there “substantial evidence” that a user understood they were agreeing to actual terms and conditions? (2) Does the website’s design make the terms clearly available to the user? (3) Does the website’s design encourage the user to review the binding terms, as opposed to minimizing their importance? (4) Does the contract clearly draw the user’s attention to material terms?
In Kemenosh v. Uber Techs., Inc.,[9] Uber’s rider registration screens, as viewable from the iPhone application, were not “inconspicuous but rather failed to adequately communicate” the website’s terms:
The Kemenosh court suggested that, if Uber had required the user to check a box, “I read and agree to the Terms of Service,” or even included a pop-up message, “Please read the Terms of Service before continuing,” then that might have been sufficient to form a contract with an iPhone enrollee that included the disputed terms.
Conclusion
Without statutory guidance on the enforceability of passive consent and automatic opt-in terms, courts are left to their own devices (pun intended) in determining whether a buried term causing automatic opt-in to an ancillary service like Sidewalk or xfinitywifi should be enforceable. Companies seeking to create valid and enforceable agreements for meaningful but unnecessary issues or for ancillary services are well advised to require the online consumer to expressly confirm review of such terms, or even to visit the terms page before allowing such consent. Notwithstanding such steps, however, online businesses should not assume the effectiveness of consumer consent to entirely distinct matters from the subject of the contract, like Sidewalk services in a Ring or Echo agreement. An enforceable agreement to such collateral terms may require a specific consent focused on those terms.
By contrast, for important but not necessarily assumed terms, like mandatory arbitration, waiver of jury trial, and limitations on damages, it seems likely that consumer confirmation of having read and accepted the terms will be sufficient in most circumstances. Online businesses should appreciate, however, that evaluating the reasonableness of such consent may consider everything from the hyperlink’s color and placement, the design elements elsewhere on the screen, the size of the print, and the language used to draw the user’s attention. In the absence of federal or uniform legislative action, these subjective standards may continue to foster inconsistency and uncertainty for businesses and consumers as to the binding effect of nonessential contractual terms in online transactions.
[1] Even the Washington Post, owned by Amazon Chairman and Founder Jeff Bezos, has expressed alarm about the privacy and security issues inherent in Sidewalk. https://www.washingtonpost.com/technology/2021/06/07/amazon-sidewalk-network/.
[2] Instructions to disable Sidewalk on Echo devices, https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK, and Ring devices, https://support.ring.com/hc/en-us/articles/360032524592-Opting-In-and-Out-of-Sidewalk. Instructions for disabling xfinitywifi sharing, https://www.xfinity.com/support/articles/disable-xfinity-wifi-home-hotspot?view=app.
[3] See, e.g., https://arstechnica.com/tech-policy/2021/05/privacy-bill-would-force-big-tech-to-offer-tracking-opt-out-breach-notices/.
[4] 15 U.S.C.S. § 7001 et seq.
[5] Cullinane v. Uber Techs., Inc., 893 F.3d 53 (1st Cir. 2018) (does the online agreement provide “reasonably conspicuous notice of the existence of contract terms and unambiguous manifestation of assent to those terms”); Schnabel v. Trilegiant Corp., 697 F.3d 110, 120 (2d Cir. 2012) (“where the purported assent is largely passive, the contract-formation question will often turn on whether a reasonably prudent offeree would be on notice of the term at issue”); Specht v. Netscape Communs. Corp., 306 F.3d 17, 29-30 (2d Cir. 2002) (“clicking on a download button does not communicate assent to contractual terms if the offer did not make clear to the consumer that clicking on the download button would signify assent to those terms”).
[6] See, e.g., Vernon v. Qwest Commc’ns Int’l, Inc., 925 F. Supp. 2d 1185, 1191 (D. Colo. 2013) (users chose to agree to the conditions, even without reading them and must “accept the consequences” of being bound); Fteja v. Facebook, Inc., 841 F. Supp. 2d 829, 839-40 (S.D.N.Y. 2012) (user had ample opportunity to review via provided hyperlink and thus assented to terms by clicking “sign in” button); Swift v. Zynga Game Network, Inc., 805 F. Supp. 2d 904, 911-12 (N.D. Cal. 2011) (user with opportunity to review terms, chose not to, and clicked “I agree” anyway had sufficient notice).
[7] See, e.g., Nguyen v. Barnes & Noble, Inc., 763 F.3d 1171, 1179 (9th Cir. 2014) (contract unenforceable because consumers cannot be expected to look for hyperlinks with binding terms and conditions they may never be prompted to review); Specht, 306 F.3d at 20 (screen requiring user to follow links to more than one webpage not reasonable notice of terms to “reasonably prudent Internet user”); Berkson v. Gogo, 97 F. Supp. 3d 359, 399 (the text “By clicking ‘Sign In’ I agree to the terms of use and privacy policy” provided insufficient notice, because website did not draw user’s attention to terms with any signifiers of importance, and did not require user to click on terms).
[8] 97 F. Supp. 3d 359 (E.D.N.Y. 2015).
[9] No. 181102703, 2020 WL 254634 (Pa. Ct. Common Pl. Jan. 3, 2020).