1. This contract does appear to apply to the data breach check site run by equifax. To be specific, the contract at http://www.equifax.com/terms/ describes its scope of coverage as "ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES" which would appear to include https://www.equifaxsecurity2017.com (which links those terms).
2. Arbitration clauses are very bad in cases like this, because by far the most effective technique for forcing companies to compensate people and deterring similar problems in the future is the class action, and this arbitration clause, like so many others, includes a waiver of class actions. Class actions are important because litigation is really expensive and class actions are the only generally applicable way to aggregate enough small claims to make them financially viable. (They're the way we keep corporations from stealing five dollars from everyone in America.)
3. As someone down-thread correctly noted, arbitration clauses are also extremely enforceable. The short version is that the federal arbitration act puts a very big thumb on the scale in favor of the enforceability of even really oppressive arbitration clauses, and the Supreme Court has added a couple of thumbs of its own.
4. I can't tell whether Equifax meant to do this. The cynical interpretation is that some evil person decided "ok, there's going to be a panic and everyone is going to go to our website to check if their data is breached, so let's sneak in a way to get all these people out of class actions." The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service." No way from the outside to tell which of these stories is true, and I'm not sure it really matters.
5. There are arguments that a sharp lawyer could make to try to convince a court that this clause is unenforceable. I'm happy to go into them if people want, but, offhand, I would much rather not have agreed to such a contract than have to try to convince a court to bounce it.
6. Yes, there is an opt-out. The opt-out is only useful for people who have actually read and understood the contract, which even with the press coverage is likely to be a vanishingly tiny percentage of the people who have inadvertently "agreed" to it. So it doesn't make it meaningfully less evil.
7. If you want to learn more about this kind of issue, I recommend Boilerplate by Margaret Radin. http://press.princeton.edu/titles/9837.html She does a great job of explaining why this kind of thing is a complete disaster and also bears no relationship to our traditional conception of what a contract is or should be.
Editing to add:
8. I guess I'll add really briefly that the key argument that this clause doesn't even apply would be that the contract distinguishes between "product terms of use" and "site terms of use," and that arguably the arbitration clause only applies to the purchase of products and registration.
If checking breach status doesn't count as purchasing a product, maybe that part (with the arbitration clause) doesn't apply on the terms of the contract itself. HOWEVER, registering for some kind of identity protection service as a result of having checked breach status probably does, so that's cold comfort to a lot of people who might use the site. I'll have to parse the contract more slowly and carefully before having any confidence in much more along these lines.
(Standard warning: nothing here is individual legal advice, contact an attorney in your jurisdiction before deciding whether you'll use this site, I'm just speaking about the overall interpretation of this contract and what we should think of it as citizens.)
Awesome answer - thank you. Forced arbitration is a pet issue of mine and one that, like, no one else seems to ever care about (except in really rare cases where it touches on some other nerve like food safety: http://www.latimes.com/business/la-fi-mo-general-mills-legal... )so since we got a real law professor here, I'd like to ask a couple questions:
1. Is there any legal reason any more for a corporation not to include forced arbitration in its contracts? Like any hidden downside? "Get out of class action free" card seems like a no-brainer.
2. Is there anything special you do in your day-to-day life to deal with forced arbitration issues? Avoid certain businesses, etc.? Have you ever actually tried to send one of those "opt-out" things and how did it go?
1. Honestly, I can't think of any downside, not in consumer contracts (as opposed to b2b) anyway. I guess there are some cases where particularly favorable courts might be preferable from the corporation's point of view (there's a court in Texas that gets tons of patent suits for that reason, also there are some states that are good for corporations --- Virginia has no class actions, for example). That's about it.
2. I personally haven't. (Though, a long long time ago, I did kick enough of a stink about an arbitration clause in a car loan contract that the dealership put some money on the table to make me stop.) The thing is, most of the time, for most consumers, it doesn't really matter--the probability that I'm likely to get harmed by some transaction enough to want to be part of a class action is so small, that it's probably rational for me on a day to day basis to just accept them. It's collectively that they're a problem, because they seriously damage one of the main ways that the legal system has to hold corporate misconduct accountable. So we really need a collective solution, rather than just individual avoidance. (Obviously, the exception being in cases like this Equifax thing were we know that litigation is on the immediate horizon.)
I've actually thought for a while about some solutions that people in the tech world might be able to work on. One idea that I just finished sketching out for print (will be in the University of Toronto Law Journal sooner or later) would be to build a kind of coordinated contract negotiation platform, where people could commit to saying "hey evilCorp, if a million other people also agree to this, we'll all collectively cancel our accounts unless you get rid of evil terms X, Y, and Z." This would resolve some of the collective action problems with it being individually rational to accept these terms usually but collectively disastrous. If, that is, people would use it...
> The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service."
As somebody who has been building websites for living and worked with corporate clients, this is about 99% likely to be true IMHO. Unless they run an extremely efficient legal department with lawyer equivalents of Superman working there, it just doesn't happen that new and specifically case-targeted TOS appears that fast, especially in a large corporation environment. "Just toss a standard link there, nobody reads it anyway", OTOH, happens all the time.
1. This contract does appear to apply to the data breach check site run by equifax. To be specific, the contract at http://www.equifax.com/terms/ describes its scope of coverage as "ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES" which would appear to include https://www.equifaxsecurity2017.com (which links those terms).
2. Arbitration clauses are very bad in cases like this, because by far the most effective technique for forcing companies to compensate people and deterring similar problems in the future is the class action, and this arbitration clause, like so many others, includes a waiver of class actions. Class actions are important because litigation is really expensive and class actions are the only generally applicable way to aggregate enough small claims to make them financially viable. (They're the way we keep corporations from stealing five dollars from everyone in America.)
3. As someone down-thread correctly noted, arbitration clauses are also extremely enforceable. The short version is that the federal arbitration act puts a very big thumb on the scale in favor of the enforceability of even really oppressive arbitration clauses, and the Supreme Court has added a couple of thumbs of its own.
4. I can't tell whether Equifax meant to do this. The cynical interpretation is that some evil person decided "ok, there's going to be a panic and everyone is going to go to our website to check if their data is breached, so let's sneak in a way to get all these people out of class actions." The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service." No way from the outside to tell which of these stories is true, and I'm not sure it really matters.
5. There are arguments that a sharp lawyer could make to try to convince a court that this clause is unenforceable. I'm happy to go into them if people want, but, offhand, I would much rather not have agreed to such a contract than have to try to convince a court to bounce it.
6. Yes, there is an opt-out. The opt-out is only useful for people who have actually read and understood the contract, which even with the press coverage is likely to be a vanishingly tiny percentage of the people who have inadvertently "agreed" to it. So it doesn't make it meaningfully less evil.
7. If you want to learn more about this kind of issue, I recommend Boilerplate by Margaret Radin. http://press.princeton.edu/titles/9837.html She does a great job of explaining why this kind of thing is a complete disaster and also bears no relationship to our traditional conception of what a contract is or should be.
Editing to add:
8. I guess I'll add really briefly that the key argument that this clause doesn't even apply would be that the contract distinguishes between "product terms of use" and "site terms of use," and that arguably the arbitration clause only applies to the purchase of products and registration. If checking breach status doesn't count as purchasing a product, maybe that part (with the arbitration clause) doesn't apply on the terms of the contract itself. HOWEVER, registering for some kind of identity protection service as a result of having checked breach status probably does, so that's cold comfort to a lot of people who might use the site. I'll have to parse the contract more slowly and carefully before having any confidence in much more along these lines.
(Standard warning: nothing here is individual legal advice, contact an attorney in your jurisdiction before deciding whether you'll use this site, I'm just speaking about the overall interpretation of this contract and what we should think of it as citizens.)