There is often a lot of confusion surrounding what exactly Terms of Service are, and how they differ from Privacy Polices. Clients also wonder what the differences are between Terms of Service, User Agreements, and Terms and Conditions, but these agreements are generally synonymous, but for the sake of simplicity, we will collectively refer to this kind of agreement as the Terms of Service or TOS. Also, please note Legal Sloth sells a TOS and Privacy Policy worksheet/template (used by an experienced attorney who worked at one of the world’s largest law firms). Check it out!
TOS and Privacy Policies, however, cannot be more different from each other. Privacy Policies govern how you protect the data that users share with you. Privacy laws such as GDPR and CPRA require your compliance. You might be saying, “Great – I don’t have to worry about it because I don’t collect user data.” You would be wrong. It is nearly impossible to run a site and not collect data, from cookies, to IP addresses – even if you aren’t collecting personal information, you are almost certainly collecting some level of data automatically. Consequently, it is imperative that you have a good privacy policy. While Privacy Policies are all about protecting the privacy rights and data security of your users, TOS are focused on protecting you. The TOS lay out the rules for users, and they should dictate what actions (i.e., Intellectual Property infringement, uploading malware/viruses, harassment of other users, etc.) will result in users losing the right to use your site.
Often, when business owners are building their websites and realize they need a privacy policy and a TOS, they decide to just take one from somewhere online. Perhaps they go as far as looking up the TOS and Privacy Policy of a competitor or other similar business and copying and pasting that website’s TOS and Privacy Policy and using it as their own. This is a huge mistake. Not only is this very possibly copyright infringement (unless you purchased the same template another company did), but no matter how similar one business might be to another business, every TOS and Privacy Policy requires at least some level of customization – and often a business requires a completely unique and fully customized TOS and Privacy Policy. Additionally, the TOS and Privacy Policy you copy may also be poorly written and ultimately useless for the purpose of protecting you and your business.
When creating a TOS and Privacy Policy, it is highly recommended that you consult an attorney. You may hate the idea of spending money on an attorney to draft you TOS and Privacy Policy tailored to your business, but you’re going to hate it a lot more if you skip this important step and run into litigation down the road because you don’t have both a solid TOS and Privacy Policy in place. While you very well may need a custom TOS and Privacy Policy, there are some common terms in both TOS and Privacy Policies that you should be familiar with.
Privacy Policies:
The most prominent privacy laws are the GDPR (governing how to treat data from users based in the European Union) and the CCPA (governing how to treat data from users based in California). Nearly all states and countries have their own privacy laws, so don’t think you don’t need to address this if you have a site that focuses on users not based in California or the EU.
If your site collects any medical data, or data from users under 18, you will require a more complex privacy policy, as you will need to also ensure compliance with other laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), or the Family Educational Rights and Privacy Act (FERPA), etc. There are a multitude of different laws governing privacy rights, and this is a rapidly evolving area of law that in fact changes drastically in short time periods, so if your business actively collects user data beyond IP addresses and cookies, such as name, email, age, address, phone number, credit card info, profession, etc. – it is especially important to consult an attorney.
It is also worth mentioning that there has been a significant move toward using highly readable language and a shift away from using “legalese”. Your Privacy Policy should be very easy to understand so it doesn’t overly burden users who want to know what their rights are and what data you are using that belongs to them.
Every Privacy Policy should cover at least the following:
Data Collected: The Privacy Policy should clearly explain what type of data is the site collecting from the user. Is it collecting their name, age, sex, mailing address? IP address? Email address? Cookies? Anything else? Any data that the site collects should be clearly identified.
Why it is Collected: For any data you collect, you should explain why you are collecting it. Are you collecting email addresses so you can update the user about offers or website developments? Are you collecting various identifying data so you can show them advertising that is likely relevant to them? Whatever the reason, you should include it. An increasingly common way of explaining what data you are collecting and why is by using a simple chart, listing the data collected on one side and the reason why it is being collected on the other.
How Users can Erase or Correct their Data on the site: You should state clearly not only how the person in charge of data on your site can be most effectively contacted, but you should also explain that users own their data and they have the right, at any time, to delete, update or otherwise correct their data.
Consent: Users must be able to give (and revoke) consent to websites that collect their data. The Privacy Policy, relatedly, must also provide information on remedies available to the user in the event the company does not comply with its own Privacy Policy.
Updates: Because Privacy laws change so quickly, it is important to include language in your Privacy Policy that clarifies the user should frequently check the Privacy Policy for updates, as any updates you may need to make will be uploaded to the page that contains your Privacy Policy and should be considered effective immediately.
U.S. / E.U. Privacy Shield (Schrems II): It is worth mentioning the Schrems II decision in your Privacy Policy.You will find a lot of complex legal analysis online regarding the “Privacy Shield,” and the impact on U.S. companies. The key takeaway here is that Europe takes the privacy rights of its citizens extremely seriously and determined in a court case ruled on by the European Union Court of Justice (in Facebook Ireland v. Schrems (Schrems II)) that the pre-existing rule regarding how U.S. companies transfer data (the “Privacy Shield”) is not sufficient to comply with the high standards of GDPR / European privacy laws. The court found that, because the U.S. can access data transferred between the U.S. and EU for national security purposes, such access violates the privacy rights of European users. Relatedly, the court found the Privacy Shield was insufficient to comply with the GDPR because European users do not have recourse against the U.S. Government in the event their data is accessed for U.S. national security purposes, and in order for any Privacy Policy to be GDPR compliant, it must grant users the ability to seek recourse for non-compliance with the Privacy Policy. The court did find that some standard contractual clauses may be sufficient to comply with the GDPR when companies need to transfer data, but this is on a case-by-case basis. So, where does this leave you? The complexity of this decision means you should really consider working with an attorney experienced with Privacy Policies.
Terms of Service:
It is best practice to create a new document when drafting your TOS. Ideally, you keep your Privacy Policy separate from your TOS, to help clarify the distinction between your rights as the sight owner and what are the rights of your users as owners of their respective data.
You will almost certainly need a customized TOS, but regardless of your unique TOS, you should have a firm understanding of terms that are nearly universal to all Terms of Service:
Disclaimer: The TOS should state clearly that the user is relying on your content at their own risk, and you aren’t taking any liability for the actions they may take based on reading your content or otherwise using the services you offer.
Prohibited Use: The TOS should be clear on what user actions are prohibited. At the very least, this list should include Intellectual Property infringement, harassment of other users, or uploading any viruses/malware to the site.
IP Ownership: It should be explicit that the company that owns the website maintains all of its ownership rights in its intellectual property, and using the site does not transfer any of these ownership rights to the users.
Payment Terms: If you collect payment from your users, your TOS should specify how users should pay and what happens if they don’t pay / if their card doesn’t go through. Are they on a subscription plan? Is it a flat fee? Whatever the details are, they should be laid our clearly here.
Updates: Similar to your Privacy Policy, it is important to include language in your TOS that clarifies the user should frequently check the TOS for updates, as any updates you may need to make will be uploaded to the page that contains your TOS and should be considered effective immediately.
There are several other provisions you should have in your TOS, but these above are the most basic and will help get you started on thinking about what terms you will need.