There is often a lot of confusion surrounding what exactly Terms of Service are, and how they differ from Privacy Policies. Clients also wonder what the differences are between Terms of Service, User Agreements, and Terms and Conditions, but these agreements are generally synonymous, but for the sake of simplicity, we will collectively refer to this kind of agreement as Terms of Service or TOS. 

TOS and Privacy Policies, however, cannot be more different from each other. Privacy Policies govern how you protect the data that users share with you. Privacy laws such as GDPR and CPRA require your compliance.  You might be saying, “Great – I don’t have to worry about it because I don’t collect user data.” You would be wrong. It is nearly impossible to run a site and not collect data, from cookies to IP addresses – even if you aren’t collecting personal information, you are almost certainly collecting some level of data automatically. Consequently, it is imperative that you have a good privacy policy. While Privacy Policies are all about protecting the privacy rights and data security of your users, TOS is focused on protecting you. The TOS lays out the rules for users, and they should dictate what actions (i.e., Intellectual Property infringement, uploading malware/viruses, harassment of other users, etc.) will result in users losing the right to use your site. 

Often, when business owners are building their websites and realize they need a privacy policy and a TOS, they decide to just take one from somewhere online. Perhaps they go as far as looking up the TOS and Privacy Policy of a competitor or other similar business and copying and pasting that website’s TOS and Privacy Policy and using it as their own. This is a huge mistake. Not only is this very possibly copyright infringement (unless you purchased the same template another company did), but no matter how similar one business might be to another business, every TOS and Privacy Policy requires at least some level of customization – and often a business requires a completely unique and fully customized TOS and Privacy Policy. Additionally, the TOS and Privacy Policy you copy may also be poorly written and ultimately useless for the purpose of protecting you and your business.

When creating a TOS and Privacy Policy, it is highly recommended that you consult an attorney. You may hate the idea of spending money on an attorney to draft your TOS and Privacy Policy tailored to your business, but you’re going to hate it a lot more if you skip this important step and run into litigation down the road because you don’t have both a solid TOS and Privacy Policy in place.  While you very well may need a custom TOS and Privacy Policy, there are some common terms in both TOS and Privacy Policies that you should be familiar with.  

Privacy Policies

The most prominent privacy laws are the GDPR (governing how to treat data from users based in the European Union) and the CCPA (governing how to treat data from users based in California). Nearly all states and countries have their own privacy laws, so don’t think you don’t need to address this if you have a site that focuses on users not based in California or the EU. 

If your site collects any medical data or data from users under 18, you will require a more complex privacy policy, as you will need to also ensure compliance with other laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), or the Family Educational Rights and Privacy Act (FERPA), etc. There are a multitude of different laws governing privacy rights, and this is a rapidly evolving area of law that in fact changes drastically in short time periods, so if your business actively collects user data beyond IP addresses and cookies, such as name, email, age, address, phone number, credit card info, profession, etc. – it is especially important to consult an attorney. 

It is also worth mentioning that there has been a significant move toward using highly readable language and a shift away from using “legalese”. Your Privacy Policy should be very easy to understand so it doesn’t overly burden users who want to know what their rights are and what data you are using that belongs to them. 

Every Privacy Policy should cover at least the following:

Data Collected: The Privacy Policy should clearly explain what type of data is the site collecting from the user. Is it collecting their name, age, sex, mailing address? IP address? Email address? Cookies? Anything else? Any data that the site collects should be clearly identified.

Why it is Collected: For any data you collect, you should explain why you are collecting it. Are you collecting email addresses so you can update the user about offers or website developments? Are you collecting various identifying data so you can show them advertising that is likely relevant to them? Whatever the reason, you should include it. An increasingly common way of explaining what data you are collecting and why is by using a simple chart, listing the data collected on one side and the reason why it is being collected on the other. 

How Users can Erase or Correct their Data on the site: You should state clearly not only how the person in charge of data on your site can be most effectively contacted, but you should also explain that users own their data and they have the right, at any time, to delete, update or otherwise correct their data. 

Updates: Because Privacy laws change so quickly, it is important to include language in your Privacy Policy that clarifies the user should frequently check the Privacy Policy for updates, as any updates you may need to make will be uploaded to the page that contains your Privacy Policy and should be considered effective immediately. 

Terms of Service

It is best practice to create a new document when drafting your TOS. Ideally, you keep your Privacy Policy separate from your TOS, to help clarify the distinction between your rights as the site owner and what are the rights of your users as owners of their respective data. 

You will almost certainly need a customized TOS, but regardless of your unique TOS, you should have a firm understanding of terms that are nearly universal to all Terms of Service:

Prohibited Use: The TOS should be clear on what user actions are prohibited. At the very least, this list should include Intellectual Property infringement, harassment of other users, or uploading any viruses/malware to the site. 

IP Ownership: It should be explicit that the company that owns the website maintains all of its ownership rights in its intellectual property, and using the site does not transfer any of these ownership rights to the users. 

Payment Terms: If you collect payment from your users, your TOS should specify how users should pay and what happens if they don’t pay / if their card doesn’t go through. Are they on a subscription plan? Is it a flat fee? Whatever the details are, they should be laid out clearly here. 

Updates: Similar to your Privacy Policy, it is important to include language in your TOS that clarifies the user should frequently check the TOS for updates, as any updates you may need to make will be uploaded to the page that contains your TOS and should be considered effective immediately.

There are several other provisions you should have in your TOS, but these above are the most basic and will help get you started on thinking about what terms you will need.