Internet Lawyers for Oregon

The Americans with Disabilities Act (ADA) was written before the internet became central to commerce, so it doesn’t mention websites directly. Even so, the Department of Justice (DOJ) and many courts interpret Title III of the ADA, which requires “places of public accommodation” to be accessible, as applying to business websites. Courts don’t all agree on how far this extends. Some circuits require a nexus between a website and a physical location, meaning the site must be accessible if it’s tied to a store, restaurant, office, or other public-facing space. Other courts, and the DOJ itself, have taken a broader view that business websites must be accessible even without a physical counterpart. Because of this split, the safest position for any business is to treat its website as covered. The ADA applies regardless of business size. There’s no exemption for small businesses, but the statute includes the concept of “readily achievable” modifications. That means a business is expected to remove barriers that can be fixed without much difficulty or expense, but may not be required to implement changes that would be disproportionately burdensome given its resources. For example, adding alt text to product photos or fixing color contrast issues is generally readily achievable, while rebuilding a custom platform from scratch may not be. Since the ADA doesn’t contain technical rules for websites, the accepted benchmark is the Web Content Accessibility Guidelines (WCAG). Courts, regulators, and industry settlements typically point to WCAG 2.1 Level AA as the measure of accessibility. The guidelines cover requirements like screen reader compatibility, keyboard navigation, alternative text for images, captions for videos, and minimum color contrast ratios. The most practical first step is to audit your website. Free tools such as WAVE, axe, or Google Lighthouse will flag common accessibility issues. Automated testing alone isn’t enough, so include some manual checks like trying to navigate your site using only the keyboard or using a screen reader like NVDA or VoiceOver. These steps will help you see whether a visitor with visual or mobility impairments can realistically use your site. Once you identify problems, address them in order of impact. Adding descriptive alt text, ensuring sufficient color contrast, labeling form fields, and providing captions for video content are straightforward fixes that eliminate many of the most common barriers. For higher-risk businesses (those with physical locations open to the public, significant e-commerce, or work in regulated fields like healthcare) it’s wise to hire an accessibility consultant or developer experienced in WCAG compliance for a more thorough audit. Although making a “good faith” effort to improve accessibility isn’t a formal legal defense under Title III, it can reduce your practical risk. Regulators, courts, and plaintiffs’ attorneys often take into account whether a business has documented efforts to comply. Publishing an accessibility statement on your site, referencing WCAG standards, and providing contact information for reporting barriers signals that you’re committed to inclusion and gives customers a way to resolve issues without escalating to litigation. Accessibility lawsuits against small businesses have grown in recent years, particularly in states like California, New York, and Florida. Defending or settling such cases can be expensive. Even if your exposure seems limited, making your website accessible improves usability for all visitors and expands your customer base. Statutes and Regulations: • Americans with Disabilities Act, Title III: 42 U.S.C. § 12181 et seq. • ADA Title III Regulations: 28 C.F.R. Part 36 Government Guidance: • DOJ Guidance on Web Accessibility and the ADA: https://www.ada.gov/resources/web-guidance/ • DOJ Small Business Primer on ADA Compliance: https://www.ada.gov/resources/title-iii-primer/ Technical Standards: • WCAG 2.1 Guidelines: https://www.w3.org/TR/WCAG21/ • WCAG 2.2 Guidelines (2023 update): https://www.w3.org/TR/WCAG22/ Testing Tools: • WAVE Web Accessibility Evaluation Tool: https://wave.webaim.org/ • axe DevTools Accessibility Scanner: https://www.deque.com/axe/ • Google Lighthouse Accessibility Audit: https://developer.chrome.com/docs/lighthouse/overview/

A well written AUP will provide your employees, staff, and users with clear guidelines regarding what they can use company resources for and what is inappropriate. There may be conduct that blatantly crosses the line, such as using the company logistics software to break the law, but an AUP will also address those circumstances that are less clear, such as using internal messaging to ask a co-worker out on a date or to pass along inappropriate comments. It should also address potential security and data privacy breaches that may result from using poor oversight of company databases, introducing insecure devices to the network, or visiting potentially compromised websites and responding to phishing emails.

While California law doesn’t explicitly require every business to post disclaimers, certain legal notices are absolutely mandatory. And having the right disclaimers in place can make a huge difference in protecting your business. The Non-Negotiable Requirement: Privacy Policies If your website collects any kind of personal information from visitors, and chances are it does, you’re required by California law to have a clearly posted privacy policy. This requirement comes from the California Online Privacy Protection Act, or CalOPPA. It doesn’t matter whether your business is physically located in California. If someone in the state can access your site and you’re collecting things like email addresses, customer contact forms, or even just using Google Analytics, you’re covered under this law. The policy needs to be labeled “Privacy” in a way that’s easy to see. That means the word should be in capital letters and at least the same size as surrounding text. It also needs to be clearly accessible from your homepage. If you don’t comply, the state can hit you with a $2,500 fine for every violation. That can add up quickly. CCPA and the Higher Bar for Larger or Growing Businesses Then there’s the California Consumer Privacy Act, or CCPA, which brings even more requirements into play. For 2025, your business may fall under CCPA if your annual revenue reaches $26,625,000, if you process personal data from 100,000 or more California residents, or if half your revenue comes from selling consumer data. It’s important to know that “sharing” now includes things like behavioral advertising and cross-site tracking. So even if you’re a smaller company using ad cookies, you might still be required to comply. And the penalties? They’ve gone up as well. Administrative fines can reach $2,663 per violation. Intentional violations can cost up to $7,988 each. Consumers can sue if there’s a data breach, and damages range from $107 to $799 per incident. Why Disclaimers Still Matter Even though they aren’t always legally required, disclaimers are an important part of managing risk. Here are a few you should seriously consider: Limitation of Liability: This lets users know your website and products are provided “as is” without guarantees. It protects you if someone misuses your content or products. Professional Advice Disclaimer: If you offer any sort of informational content, like guides or blog posts, be clear that the material doesn’t constitute legal, medical, or professional advice. Product Disclaimers: If you sell physical goods, note that specifications may vary and you aren’t responsible for misuse. Third-Party Content: If your site links to other websites or displays third-party content, make it clear you aren’t responsible for what users encounter once they leave your site. California-Specific Legal Notices to Include In addition to your privacy policy and disclaimers, California expects businesses to provide several other notices: 1. Your business name and contact info, including email, phone number, and physical address. 2. Refund and return policies if you sell products or services online. 3. An accessibility statement, especially important as lawsuits under the ADA continue to rise. 4. A “Do Not Sell or Share My Personal Information” link if your business meets CCPA thresholds. Accessibility Is a Growing Concern California hasn’t yet mandated WCAG 2.1 Level AA compliance for all private businesses. Still, the increase in ADA-related lawsuits, along with new federal rules applying these standards to government websites, make this a smart area to address now rather than later. Data Broker? You May Need to Register If your business collects consumer data and either sells or shares it with third parties, California may classify you as a data broker. That means you’ll need to register annually with the California Privacy Protection Agency. The fee is $6,600, and starting in 2026, you’ll also be expected to publish annual reports and take part in a centralized deletion system for consumers. How and Where to Post Legal Notices Make sure your privacy policy is clearly labeled and linked in your website’s footer. Disclaimers can either live on a separate “Disclaimer” page or be included in your Terms of Service. What matters most is that these notices are easy to find and written in plain, understandable language. The Final Analysis Disclaimers may not always be legally required, but they offer vital protection. Privacy policies are absolutely mandatory if your business collects personal data from California residents, and the cost of non-compliance can be substantial. Given how quickly the legal landscape evolves, it’s a good idea to schedule a privacy policy review at least once a year. If you’re not sure whether your current notices are sufficient, consider speaking with a California business attorney. A quick legal review now can prevent major problems later.

You're smart to be thinking about legal liability when you're building a platform that hosts user-generated content. The good news is that U.S. law gives you some strong protections, as long as you set things up correctly. If you take the right steps early, you can limit your legal exposure while still giving users the freedom to share and interact. Your Best Legal Defense: Section 230 The main legal protection you'll be relying on is Section 230 of the Communications Decency Act. It basically says you're not legally responsible for what your users post. If someone uploads something defamatory or inappropriate, the law treats them as the publisher, not you. This covers a wide range of potential issues under state law like defamation, privacy violations, harassment, and even some negligence claims. You also have full control over how you moderate. Whether you decide to remove content or leave it up, that's your call. The law protects both your choice to moderate and your choice not to. What Section 230 Doesn't Cover Now, Section 230 is powerful, but it's not bulletproof. There are a few key areas where it doesn’t apply: Federal criminal law: If your platform knowingly facilitates criminal activity, you could be held liable. Courts generally require proof that you knew and intended to assist the illegal behavior, but it’s still something to watch out for. Intellectual property: Section 230 doesn’t shield you from copyright or trademark claims. This is where DMCA compliance becomes critical. Your own content: If you're directly involved in creating illegal or harmful content, you can’t hide behind Section 230. Stick to providing the platform, and stay out of shaping or producing the actual user content. How to Protect Yourself From Copyright Claims (DMCA) Copyright infringement is one of the biggest risks platforms like yours face. Fortunately, the DMCA gives you a way to protect yourself if you follow the right steps: Register a designated agent with the U.S. Copyright Office. This person (or company) receives official takedown notices. Registration costs $6 and has to be renewed every three years. You’ll also need to post the agent’s contact info clearly on your site. Set up a takedown system. If a copyright owner sends a valid notice, you’re required to remove the allegedly infringing content promptly. Create a repeat infringer policy. You don’t have to go hunting for violations, but if someone keeps uploading infringing content and it's brought to your attention, you need a policy in place and you need to enforce it. A Legal Landscape That’s Evolving in Your Favor In recent years, the courts have leaned even more in favor of platform operators. In 2024, the Supreme Court made it clear that content moderation decisions are protected by the First Amendment. That means you have the right to decide what stays up or gets removed, just like a newspaper editor can decide what gets published. At the same time, there's a new federal law to be aware of. The TAKE IT DOWN Act, passed in May 2025, requires platforms to give users a way to report non-consensual intimate images. Once you get a valid report, you have 48 hours to take it down. A few states like Texas and Florida have tried to pass laws limiting how platforms can moderate content. So far, the courts have mostly ruled those laws unconstitutional. The Supreme Court has suggested that forcing platforms to stay neutral on all content likely violates free speech protections. The Legal Foundation You Need First, make sure you’ve set up your company as a legal entity, like a Texas LLC or corporation. That gives you basic protection for your personal assets. Next, your Terms of Service should clearly state that users are responsible for what they post. Include clauses that ban illegal behavior and copyright violations, and make sure you have indemnification language that puts the legal burden back on users if their content causes issues. You'll also want Community Guidelines that spell out what kind of content is allowed or prohibited. Even though you're not required to moderate, having clear rules helps with consistency, sets expectations, and can make moderation easier if it becomes necessary. And whatever moderation systems you use, whether manual or automated, be sure to document decisions and user reports. This helps show that you’re acting in good faith if a dispute ever comes up. What This Means for You If you get these systems in place early, you’ll be in good shape. Big platforms rely on the same legal framework to operate safely at scale. It’s been tested in court over the last 25 years, and it works if you stick to the rules. Your day-to-day legal responsibilities will mostly involve handling DMCA takedown requests, removing clearly illegal content once you’re aware of it, and keeping your copyright agent registration up to date. It becomes routine once your platform is up and running. The bottom line is this. The legal framework was designed to protect innovation while still giving people ways to address serious harms. If you follow it properly, you can focus on growing your platform instead of worrying about getting sued for something a user posted. Most legal problems happen when a platform skips the setup or tries to cut corners. Investing a bit of time and legal advice upfront will pay off by keeping you protected in the long run.

There are three main parts of a privacy policy. One, you should be disclosing the kinds of information you collect from website visitors. For example: name, address, phone, email, credit card number, drivers license number, etc. Two, you should be disclosing how you use that information inside your organization. For example, for fulfilling purchases, providing customer service, processing payments, product improvement, marketing analytics, etc. Third, you should be disclosing how you share information with parties outside your organization. For example, you might use contractors and vendors to process payments, analyze website traffic, provide marketing analytics, etc. Another useful topic is how you protect information. You don't want to get so detailed that you give hackers a road map, but you can make general statements about using encryption, etc. And depending on the nature of your website and business, you may need to address GDPR or collecting information from children.