Zappos just lost a big court battle.

In January, hackers got ahold of 24 million Zappos customers' email addresses and other personal information.

Some of those customers have been suing Zappos, an online shoes and clothing retailer that's owned by Amazon.com. Zappos wants the matter to go into arbitration, citing its terms of service.

The problem: A federal court just ruled that agreement completely invalid.

So Zappos will have to go to court—or more likely settle to avoid those legal costs.

Here's how Zappos screwed up, according to Eric Goldman, a law professor and director of Santa Clara University's High Tech Law Institute: It put a link to its terms of service on its website, but didn't force customers to click through to it.

There's a ton of legal precedents around what constitutes a contract. If you leave a piece of paper with a bunch of legalese out in your office, and someone wanders through, but doesn't even look at it, let alone sign it, you can't say they agreed to what's on the paper. There's no "meeting of the minds," to use the legal concept.

These kinds of arrangement are called "browsewrap" agreements, and they're extremely common—Dell, Southwest, and a lot of other companies have had them on their websites, and their uncertain legal status has landed them in court a lot.

What Zappos should have done: Force customers to click a button that says sure, yeah, whatever, they've read the terms and agree to them. Courts have found these "clickwrap" terms valid—even though in reality no one actually reads the stuff they're agreeing to.

A second way Zappos messed up: Its terms say that it can change the agreement at any time, unilaterally. That's inherently unfair, and courts have invalidated contracts on those grounds, too.

What this means: A lot of billable hours for lawyers and interactive designers, as everyone reworks their websites and mobile apps to force users to lie about having read page after page of legal jargon to get about their business.

Will Zappos have to pay up? The customers whose email addresses were exposed will have to demonstrate that they were actually harmed by the leak. But arbitration is usually a way to resolve disputes that's less expensive and friendlier to businesses, which is why terms of service usually require it.