Everyone has seen them, few read them, and even fewer truly understand them. But that does not mean your company should not have them.
For many companies, especially those offering a SaaS platform, the Terms of Use (or Terms and Conditions of Service) and Privacy Policy serve as the primary agreements between the company and its end users, whether an end user’s access is provided through a customer’s corporate enterprise account or an individual account. It is vital to know the basic concepts of these agreements and appreciate the role they play for your company.
The Terms of Use set forth the legal terms under which the company will provide its service to the end-user, including:
- the rights and obligations of the parties;
- payment of fees, remedies, term and termination; and
- other standard legal clauses like indemnification, confidentiality, and limitation of liability.
When properly drafted, this agreement will reference the company’s Privacy Policy and incorporate those terms into the Terms of Use that need to be agreed upon prior to gaining access to the company’s online service
A Privacy Policy provides transparency and information relating to the collection and use of customers’ personal information. This can be as basic as a name and an email address. Essentially, a Privacy Policy discloses the kinds of information collected, how it is used, and whether it is commercialized.
Requirement of a Privacy Policy
While Privacy Policies are not generally mandatory, there are certain instances where a company may be required to maintain one on its website, including if the company is:
- collecting personal information about, or targeting, children under the age of 13;
- an institution “significantly engaged” in financial activities
- a “covered health care provider”; or
- collecting data from citizens of the European Union and transmitting and storing that data in the United States. [1]
Many states have enacted their own privacy laws including, among others, the California Consumer Privacy Act (“CCPA”). Many early-stage companies do not meet the requirements to be subject to these laws (for example, with respect to the CCPA, having $25MM of annual revenue, possessing the personal data of more than 50,000 consumers, and earning more than half of its annual revenue through selling consumer’s personal data). Despite this, it is important to keep each state’s regulatory regime relating to privacy in mind. In the absence of a federal law that preempts state laws, companies need to ensure compliance with each state relating to the protection of personal information.
Things to keep in mind
- Abide by the Privacy Policy. A Privacy Policy is only as good as the company’s compliance with it, so be sure that it accurately reflects the types of data that collected, how it is processed, and with whom it is shared.
- Make the Terms of Use and Privacy Policy accessible to all customers of the business. While these policies will likely include complex legal provisions, they don’t have to be drafted such that lawyers are the only people who understand them. Companies should work with legal advisors to draft policies and agreements that are easily understood.
- What works today may not tomorrow. The Privacy Policy and Terms of Use are meant to be living documents, changing over time alongside a company as it grows and matures. Be sure to review and revise them as necessary to keep them up to date.
- Be attentive to customer requests. Certain laws (namely CCPA) require a timely response to customer requests related to personal information a company has collected, and may involve civil penalties for non-compliance. Implement reasonable internal practices and policies to ensure continued compliance.
- Stay informed. Be sure to keep up to date with changes to the regulatory landscape, both federally and locally. Data privacy is becoming a hot topic, and states are beginning to enact laws to protect the privacy of its citizens. Therefore it is more important than ever to regularly review these polices to ensure that they remain compliant in an ever changing regulatory landscape.
[1] See, respectively: the Children’s Online Privacy Protection Act, the Graham-Leach Bliley Act; the Health Insurance Portability and Accountability Act; and the General Data Protection Regulation.