By: Brett Simpson

Now more than ever, having an online presence for your company can be vital to early success. Small businesses have easier and cheaper access to powerful tools that can build extremely useful website functions like ecommerce or community forums. But with these powerful functions comes a great deal of responsibility, particularly when it comes to data collection. To meet those responsibilities and to protect their business, website owners need to make sure they have good terms of service and privacy policies in place.


Some business owners don’t realize that they may need a terms of service agreement or a privacy policy in place for their website and many owners that do have these policies choose to take shortcuts by using generic or copied terms of service.  Both options leave your business vulnerable to legal issues down the line. This post will cover what a terms of service agreement and privacy policy typically cover, common mistakes made by businesses, and the ramifications of not having a policy that appropriately covers your website.


Terms of Service

Terms of service set the rules that your website’s visitors need to follow[1]. Terms of service are an agreement; the user must accept the rules to use the website’s functions. Because terms of service are not required by law, some may feel like their website does not need to implement anything, however, that decision carries future risk.

Typically, a terms of service agreement lays out the website owners’ restrictions on how a user can utilize information and tools located on their website[2]. Additionally, website owners commonly place clauses that limit the owner’s liability for accuracy of information found in their content[3].

Terms of service vary greatly and can include a range of terms, including which laws should govern your website, setting the forum state for future lawsuits, establishing repercussions for misuse, and defining ownership over any intellectual property found on the website[4].

Defining Copyright ownership and making those relationships clear before users can access your website is incredibly important and can save the headache and cost of trying to prevent other people from using your work. Additionally, many websites use their terms of service to clearly lay out that they will comply with outside party’s copyright claim on content that users post to shield themselves from liability in potential infringement cases. The Digital Millennium Copyright Act (DMCA) is the go-to reference, with many websites having specific clauses in their terms of service that refer to the act and outline the website’s ability to take down infringing content. [5]

A good terms of service agreement is tailor made for the particular business and covers the contours of the website. Website owners without any terms of service risk having a court define or discern their default relationship between the website owner and website user which could become a drawn out and costly addition to future litigation. Likewise, a website owner with terms that were made for another website or terms that were not well-crafted risks having the user agree to terms that even the business owner doesn’t want but are nevertheless enforceable.

For example, if a business in Michigan were to copy terms of service from a website based out of New Jersey, without careful editing, the Michigan company may very well be implementing and binding itself to rules that state all lawsuits will be held in New Jersey.


Privacy Policy

A privacy policy is another form of agreement, but it serves to disclose with the user what data is collected and how it will be used by the website owner[6]. Privacy policies, unlike the terms of service, are required by law.

The requirements of a website’s privacy policy vary widely and are based mainly on the location of the users and visitors of the website. Not only do other countries have their own privacy requirements, different states require different standards as well. This is relevant because even very basic websites collect data on its visitors[7]. This data can vary in complexity and usefulness to your business but requires careful handling and disclosure regardless.

Something to consider while formulating a website’s privacy policy is the location of the website’s users. While it may seem obvious that collecting data from users in other countries may have stricter policy requirements, it may be less obvious that different states in the US have strict requirements that may not be required federally or in other states.

Companies that are looking to operate solely in the United States and only collect information from within the US will have to comply with California’s CalOPPA law[8]. The law applies to any business collecting personally identifiable data from California residents to disclose what information is being collected, who the data may be shared with, and outline internal processes for users to access their own personal data. The law also requires that a website’s policy be easy to access from the homepage.

What’s important to note is that CalOPPA only applies to data collected from California residents, so some website owners will add provisions to their policy that are specific to Californians[9]. A potential downside to this approach is that tailoring polices towards specific state residents could create confusion or make the polices unwieldy to maintain.

Failing to comply with CalOPPA could open a business up to unwanted liability, future lawsuits by California government officials, or even the Federal Trade Commission in some cases. While these penalties are specific to CalOPPA, it is important to review the laws for the jurisdictions that a website may collect data from as the requirements and penalties can vary.



What many website owners may not realize is that website building and hosting services like Squarespace have terms of service and privacy policies of their own, but they do not apply to their user’s websites[10]. This can leave many feeling like their website may have the appropriate policies in place, but in reality, have no coverage. It is important to take inventory on your website’s coverage sooner rather than later. Website owners should consult with their hosting service to implement any necessary references to the services privacy policies or terms of service.

To be truly covered, website owners should take stock of the functions of their website, the data that they collect, and the location of their users not necessarily just the location of their business.

Using all of these points, website owners can carefully craft a set of terms of service and privacy policy that fits the needs of their business and fits the rules of the states or countries where the website is used.


[2] Id