Retailers Can Put Anything In A User Agreement, But There's A Huge Catch

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

I recently received a $25 debit card as an honorarium for giving a speech. To "activate" the gift card from, I had to give them my name, address, telephone number, Social Security number, user ID, PIN, and answer to three security questions – all that just for 25 bucks. In fact, what I really did was to open a bank account with $25 and a monthly maintenance fee of $4.95. I apparently agreed to all of this on the website of under their terms of service. But that’s not all I agreed to.

Years ago, I got a Wachovia stored value card, which similarly had outrageous fees – fees for putting money in, taking it out, checking the balance, loading the card, not loading the card, as well as an annual fee, monthly fees, etc. It amounted to usurious interest rates and fees of over 3000 percent. When I called to dispute one of the fees, the person on the other end told me that my wife (who had just handed me the phone) had authorized the fee–she did not, and I know this because I was standing right there.

It was then that the Wachovia representative told me that they had recorded the telephone call. When I informed them that neither my wife nor I had consented to the recording (in Maryland, like about a dozen states, all parties must consent to the recording), the Wachovia rep told me that they didn’t need consent because they were a federally chartered institution. Of course, the law makes no such distinction. This resulted in a class-action litigation against Wachovia (no, I didn’t initiate it) for unlawfully recording conversations without the requisite "this call may be monitored for quality assurance purposes."

Related story: The NRF has now come out against arbitration, but only if it doesn't involve retail customers. Then it's glorious.

But now, has gone one better. The user agreement, buried in pages of legalese, states that by activating my gift card, I have consented to their monitoring, recording or using the contents of my conversations with them. In other words, even though the Legislature has made a determination that these calls should be private, absent consent, Green Dot has decided to get my consent as a condition of activating my card. Of course, I had no choice. I couldn’t not activate the card and ask for my $25 in cash, since I hadn’t bought the card in the first place. I could have returned the card to the sponsor and hoped they could get their $30 back (they had to pay a $4.95 fee initially). But I couldn’t get my personal information back.There is a tendency among lawyers (and I am guilty as charged) to put all kinds of language in a Terms of Use or Terms of Service. And why not? Consumers rarely read them, and even if they do, they rarely choose to purchase products or services based upon these terms and conditions.

Courts have almost universally upheld these terms, and required consumers to give up substantial rights, including the right to sue for defective products or other disputes, the right to engage in or participate in class action litigation, the right to pursue legal or other remedies in the jurisdiction in which they live, and even the right to export the product or service or to even discuss or publicize complaints they may have about the product or service.

In a particularly egregious case, a software license agreement provided that the user could not "benchmark" or compare that product against competitors. Sure, why not? You can put pretty much anything into the contract, knowing full well that nobody is ever going to read it.

Unless the contract violates state or local law, or is what the law calls "unconscionable" (e.g., you have to give up a kidney), the courts will enforce them–even if the consumer never read it. The retailer can force consumers to give up a lot of rights in the fine print. This means that Green Dot can record my conversations, and there is nothing I can do about it.

Ultimately, there may be a consumer revolt, or one by the courts.

These "take it or leave it" contracts, while generally enforceable, are called "contracts of adhesion." Courts don’t like them, and neither do consumers. As retailers get greedier–requiring, for example, consumers to provide a wealth of personal information as a condition of buying a T-shirt or a pack of gum—either the courts or legislatures may step in.

They have already done so in the areas of warranties, mandating certain warranties even though a consumer may waive that right by contract. Legislatures in the 1970s demanded consumer protections even if consumers couldn’t do so themselves.

There’s another problem for retailers. I don’t know why Green Dot needed (or thought they needed) my Social Security number for a $25 gift card. But they have bought themselves more than $25 of potential liability. Every time a retailer collects and retains personal information about a consumer, they have either an express or implied duty to protect the privacy of that data. This means encryption, access control, log monitoring, intrusion detection, intrusion prevention, data breach awareness and training, data monitoring, etc.

That’s an awful lot for just $25. And if there is a breach of the personal data, the costs can be much higher than $25. So, all this means that if you don’t need someone’s phone number to sell them batteries, don’t ask for it. CRM is a double-edged sword. So are Terms of Use and Terms of Service. Keep them simple, direct and necessary to accomplish your objectives. Don’t overreach. And protect whatever data you get. Follow the Mom rule – if your mom can’t understand the agreement, it’s probably too complicated. And that’s a good rule of thumb.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.