PokemonGO's Terms of Service & Privacy Policy are unenforceable legal disasters. Here's why.

Jul 12, 2016 4:33:51 PM

If you're anything like us here at the PactSafe offices, you're probably spending a few minutes over lunch this week wandering around the streets outside your office trying to catch Pokemon. If you're not, well don't worry -- the guilt, shame, and embarassment of walking around as a grown adult playing an adaptation of a late-90s children's game wears off quickly. There's still plenty of time for you to catch up, reach Level 5, and head over to the nearest Pokemon Gym in your neighborhood to do battle.

Just released to the public on July 5, PokemonGO is the latest gaming app to take the world by storm. The explosive growth of the game has already added $7.5 billion to Nintendo's valuation in the last week, it's already blown past popular "dating" app Tinder in downloads, and is set to blow past Twitter in daily active users soon. This isn't some niche Facebook game -- it's already latched on as a craze that leverages location-based technology and your phone's camera to create an augmented reality where users can capture Pokemon in "real life." If you're still confused, this Vox explainer should do the trick to catch you up.

Does this ressurection of Pokemon nostalgia seem too good to be true? Well, it is. The game's creators have a deep, dark secret that's letting them exploit users and flaws in the presentation of their legal agreements and may create major problems for the company's lawyers down the line.

Let's dive into each of those.

PokemonGO: is it worth the legal risk?

PokemonGO presents lots of legal risk for the makers of the game. Their arbitration agreement is almost completely worthless because of how it is -- or how it isn't -- being presented to users.

So, consider first the natural legal obstacles and areas of possible liability for Nintendo and Niantic for PokemonGO. The app directs and encourages players to wander the streets of a town -- possibly ending up in places where they shouldn't be. That's already led to issues with trespassing and gamers ending up in spots where they aren't welcome or even distracted drivers turning around in the middle of roadways to find Pokemon. 

Yet, even more grave concerns about the safety of the game's users still exist. The game's purported Terms of Service allows for users as young as 13, and users have already begun to report robberies and muggings at the sites of the game's Pokemon stops. Any user can access something called a "Lure Module" at a given PokeStop to lure more Pokemon to an area for 30 minute increments. Those "Lure Modules" are marked on the game's map -- and are designed to attract more gamers to the area. And in some situations, those gamers aren't finding Pokemon at the given stop -- but, instead someone looking to do them physical harm.

The list could go on and on here -- there are a number of dangers and high-risk situations that could arise out of an augmented reality game that encourages users -- a large percentage of which will be minors -- to get out and about and wander the community. It's not a matter of if or when the makers of PokemonGO are served with a lawsuit, but rather when. Chances are, their lack of effective clickwrap design will take them down, like it has many others. This doesn't mean they're guaranteed to lose such a suit, or are even likely. But anyone that's familiar with the troubles and pains of litigation know that it's in the best interest of companies to stop lawsuits before they begin, rather than sink endless dollars into billed hours, discovery fees, court costs, and settlements. 

Niantic's aware of this -- and it's why they've placed an arbitration clause in their Terms of Service. Those terms have even been written by a good lawyer that knows that users need to be acutely aware of arbitration clauses that are present by putting a NOTICE IN ALL CAPS AT THE TOP OF THE TERMS OF SERVICE. Look! 

Screen_Shot_2016-07-12_at_2.23.03_PM.png

So, what's the problem? There's never any point when creating a PokemonGO account, logging into the services, or using the services that there are any Terms of Service for the product. They might as well not even exist. 

To the right, you'll see the log-in/sign-up screen for PokemonGO's terms of service. We've talked many times before about what courts have dictated as a good construction of a clickwrap agreement-- and what ones won't pass the test to create an enforceable agreement. The best practice is to have a separate checkbox with clearly articulated language that indicates by checking said box you agree to terms and privacy policies, or at least a button labeled "I AGREE" rather than "SIGN UP" or "CONTINUE" or whatever. Heck, at the very least, you should at least have evidence on your opening screen that your Terms of Service exist in some form! PokemonGO doesn't even do that. There's merely a hyperlinked PRIVACY POLICY under the sign-up options, with no language tying or binding individuals to such policy. They don't even bother to put the Terms of Service on the opening screen in any way.

Once you're into the app, things continue to get worse for PokemonGO's terms of service. The terms are written as a "Browsewrap" style agreement -- or in other words, that you're manifesting assent to the terms merely by accessing or using the services. But as we've discussed before, courts are naturally skeptical of browsewrap agreements -- even if they're well-constructed. But a user can't assent to terms that they aren't aware exist. Through the sign-up process and regular use of the app, there's never ever any mention of Terms of Service anywhere! Users would have to go to the menu of options, click on settings, click on "About Pokemon GO", and then look in tiny print at the bottom of the screen to find the terms of service for the app. That super-important arbitration clause is effectively meaningless because it's hidden within the app on an inconsequential screen that's designed specifically to not be found by the creators. It's an online legal trashfire, and it's a ticking timebomb that could cost the game's creators dearly if it's not corrected soon.

Oh, and speaking of that Privacy Policy...

When you sign into PokemonGO with Google, you're granting them access to your entire Google account. And you're never really accepting that Privacy Policy.

While the display and acceptance of PokemonGO's Terms are basically non-existent, the Privacy Policy sits on tenuous grounds, too. As we said, there's none of that critical linking language tying a signing-into-the-services to an acceptance or acknowledgement of any policy or terms. That's not a good practice. However, at least the Privacy Policy is on the opening screen here. This is at least some semblance or some attempt to put the user on notice of what kinds of data will be collected -- and what the user grants Niantic license to use.IMG_5766-1.png

Yet, the contents of that Policy -- rather than how it's displayed and how you're bound to it -- should be what gives most users pause. When signing up via Google, users should be aware that the app's default setting grants Niantic access to EVERYTHING in their Google account. That can be altered from the settings and permissions page within their Google account, but without deeply reading into the Privacy Policy, this is something that most users simply won't be aware exists. Since we're experts in the display, automation, and tracking of online legal agreements -- we'll leave the discussion of your data privacy rights up to others. But if you'd like to read more about how you could be tracked using a mosaic of data from PokemonGO, check out this humourous & satirical (yet informative!) piece from Gawker's Ashley Feinberg. It might make you think juuuuust a bit before wandering off to capture Eevees in your local park.

This is an online legal trashfire -- and it's exactly what you shouldn't be doing if you're building an app.

PokemonGo is in its early stages and there's still time to make the fix. Developers should drop -- at the very least -- a link to the Terms of Service on the opening screen of the app in the next release. Find clickwrap best practices here. In addition to the physical dangers of PokemonGO, the app is set to have in-app purchases available soon. The lawsuits will come -- and a good lawyer will be set to attack the arbitration clause because of a lack of notice supplied to the user.

It's playing with fire to not have such a critical legal agreement displayed properly within an app or service. Don't be surprised if you notice a change -- or if you're prompted to accept some new terms -- by the next time you head out to hunt or do battle with friends at your local Pokemon gym after work.

UPDATE -- Friday, July 15 11:55 AM: Hate to say we told you so? Niantic and the creators of PokemonGo took note of these issues, and new users will notice a change from the process above when downloading the app for the first time. Now, PokemonGO is prompting new users to accept their terms when downloading the app with an "I ACCEPT" button before logging in, and then also giving them a Allow/Deny option and a disclosure of collected information when logging in with a Google account. But, through our own testing, it still seems not every user is being prompted to accept the terms. That means Niantic will still face versioning issues if an early adopter of the game before the update wants to attempt to invalidate that acceptance clause. A best practice for Niantic would be to deploy an update that forces users to accept the original terms before using the app.

 

Afraid of running into these types of problems on within your own app? We can help!

Kyle Robbins

Written by Kyle Robbins