5 Key Legal Agreements Your Business Needs

Written by Chris Slack (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

5 Key Legal Agreements Your Business Needs

Protecting your company is one of the most paramount actions you should take. One way of protecting your business is through the use of legal agreements.

Thankfully, there are many types of legal agreements you can use to help protect your company. Some of these act as a protection for your company, protection for your users, and a combination of both.

One of the most important aspects of these agreements is being transparent with your customers. Laws have been enacted around the world to protect users and demand companies to fully disclose their practices to prevent defraudment and theft.

Let's take a look at five legal agreements your business needs to have in order to protect your company from potential legal issues or lost customers.

A Privacy Policy

One of the most important and necessary legal agreements your company needs is a Privacy Policy.

A Privacy Policy is a disclosure by your company of how and why you collect your user's personal information and how that data will be used and protected.

Your Privacy Policy must include, at minimum:

  • What information is collected
  • How the information is collected and stored
  • Whether you disclose the data to any other parties
  • How your company uses the info
  • How your users can control your use of their information

A Privacy Policy is so essential a legal agreement that the agreement is legally required by multiple laws around the world.

A note to remember: These laws may also apply to your company if you do business or have users where the laws are enacted. For example, the GDPR applies to European companies, but if you are a U.S. company with users in the EU, you also must comply with the law.

Let's take a deeper look at some of these laws.

Global Laws Requiring a Privacy Policy

Global Laws Requiring a Privacy Policy


The GDPR (General Data Protection Regulation) is the privacy law of the European Union aimed at creating transparency between companies and users.

It requires a Privacy Policy, and a specific one at that, for anyone who collects and processes personal information from people located in the EU. It doesn't matter whether your business is located there or not. If your customers/users are, then the GDPR will apply to you.

If your business is at an international level with a customer base in the EU or you specifically target the EU with advertising or marketing, become familiar with the GDPR and what it requires you to include in your Privacy Policy.


In Canada, PIPEDA (Personal Information Protection and Electronic Documents Act) is the federally enacted law that controls the collection of private information by private-sector companies in commercial transactions.

PIPEDA requires that companies must have and maintain a Privacy Policy that informs Canadian users/customers of how their personal information is handled and what rights they have over that.

If your business is located in Canada, you need to know if PIPEDA applies to you.


The California Online Privacy Protection Act, or CalOPPA, is a California state law aimed at protecting the private information of California residents and one of the most important privacy laws in the US.

CalOPPA's main points are that companies must "conspicuously" post links to their Privacy Policies and must also include their policy on do not track signals, or settings consumers use to indicate that they do not want their info tracked.

If you have customers/users in the state of California, become familiar with the nuanced requirements of CalOPPA.

Note: The laws listed here are just a few of the ones that are currently in practice. Make sure to check with your own jurisdiction and with jurisdictions where you do business to see what specific privacy laws may be in place there. Also keep in mind that with the advancement of technology and the use of personal information, more privacy laws that require a Privacy Policy will surely be popping up around the world. It is recommended to stay aware of any new laws that are enacted.

Displaying Your Privacy Policy

Displaying Your Privacy Policy

Your Privacy Policy needs to be easily accessible and readily noticeable by your users for it to be effective. The best practice way to do this is by adding a link to it to your website footer, like so:

Zendesk website footer with links

You can also add it to places where you're collecting personal information, such as an email sign-up form:

Fossil Email Sign-up Form

If you have a mobile app, make sure to link your Privacy Policy somewhere within your app as well, such as a Legal, Settings or About menu, and on the account sign-up screen if you require users to sign up before using your app.

As long as your Privacy Policy is accessible, clearly labeled and you get users to agree to it, you should be in compliance with most privacy laws.

How to Create a Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

A Terms and Conditions Agreement

A Terms and Conditions Agreement

While not legally required, including a Terms and Conditions Agreement on your site is extremely beneficial and important.

A Terms and Conditions Agreement (T&C) is your company's policy dictating how a consumer can use and interact with your site, while also protecting you from possible legal issues and liabilities.

A typical Terms and Conditions agreement includes clauses that address:

  • How a user may use your site and what actions are prohibited
  • Deactivation of user accounts, either by you or them
  • Relationship benefits between the company and the user
  • Legal disclosures
  • Payment terms

Even though a T&C isn't required by law, once a user agrees, a legally binding agreement is created between your company and your customers. This means if a user violates the agreement, you can take appropriate action.

Important Clauses to Include in Your T&C

Important Clauses to Include in Your T and C

Each Terms and Conditions agreement is tailored to your exact company and business. However, there are some key clauses that all T&Cs should include. Let's take a look at a few.

Acceptance of Terms

A clause that should be included early on in your Terms and Conditions is the Acceptance of Terms clause. The clause should be explained in plain language what acceptance of the terms means for both your company and the user.

Included in this section should also be a note to the consumer that acceptance of these terms creates a legally binding agreement as Wayfair does in its Terms of Use (which is just another name for a Terms and Conditions agreement). Many companies also bold these words to draw the reader's attention:

Wayfair Terms of Use: Intro clause


If your company has any memberships or processes payments from your users, including a payment clause is necessary.

This clause protects you later on if there are any issues or arguments about whether bills were paid or if you are seeking reimbursement.

The entertainment streaming service Netflix collects monthly subscription and includes in its payment clause potential payment method changes, price changes, and actions Netflix may take for failed payment methods:

Netflix Terms of Use: Billing Cycle and Payment Methods clauses

Termination of Use

Users don't always follow the rules and sometimes violate usage agreements. Including a section about how your company may terminate or suspend an account in these circumstances is highly recommended.

Pandora includes a termination clause in its Terms of Use that not only addresses how the company may terminate an account, but also how the user may as well:

Pandora Services Terms of Use: Term and Termination clause

Prohibited Uses

One of the main benefits to having a T&C is that you can set forth what your users must not do if they wish to consider using your website, app or being a customer of yours. These restrictions can be as simple as not posting profanity on your forums, and as nuanced as restricting reverse engineering of your software.

Evernote goes as far as to have a separate User Guidelines agreement, but you can just include a clause (or a few) in your T&C that express the same information in most cases. Here's an example of the types of things Evernote restricts:

Evernote User Guidelines: Excerpt of prohibited uses clause

If your list of restrictions is very long, for example if you allow user-generated content, sell products, have an interactive forum and other things you would want to exert the most control over, you can consider creating a separate User Guidelines document. But at minimum, include this type of clause in your Terms and Conditions agreement so users know your rules.

Displaying Your Terms and Conditions Agreement

Displaying Your Terms and Conditions Agreement

Just like a Privacy Policy, providing notice to your users of your T&C and making it easily accessible is very important. If you don't receive agreement from a user, the user won't be able to use the site and you won't have protection if there are any contentious issues. You'll be less likely to prove a user agreed to your Terms if the terms are hidden or impossible to access or find.

Spotify makes it clear at account sign-up that by signing up, a user is agreeing to the Terms and Conditions of Use. This is a popular and effective way to notify your users of your T&C and get agreement:

Spotify sign-up form

You should also add a link to your T&C to your website footer, close to your other important legal agreement links. Here's how Luke Storey does it in his website's footer:

Luke Storey website footer with links

The more accessible your legal agreements are, the more effective they'll be, both for your business and your customers.



If your company offers any form of advice, services, or informative content, you should include a Disclaimer in your Privacy Policy, your T&C or even on a standalone Disclaimers page for most visibility.

Disclaimers are statements by your company that anything on the site shouldn't be construed as either professional or legal advice. A Disclaimer is in place to make sure your users don't misunderstand your services. Additionally, a Disclaimer can also state your company is not liable for certain errors or issues that may arise.

Companies that should pay close attention to this are:

  • Health and medical-advice websites
  • Legal summary sites
  • Personal blogs
  • Other service sites, like financial planning, gambling tips, etc.

Most Disclaimers have a similar style of statement, but there are different types of disclaimers depending on your industry or company's unique business.

Professional Advice Disclaimers

Sites that offer tips or information on certain issues such as medicine or law, should include a disclaimer informing the user that their site doesn't take the place of actual, professional help.

WebMD is one of the most popular medical informational websites that provides tips and images aimed to help you understand your medical issues. It specifically includes in its Disclaimer that the company is only an informational site, not a professional one, and you should seek actual professional assistance for a diagnosis.

It places this disclaimer very early on in the beginning of its Terms and Conditions so it will be less likely to be missed:

WebMD Terms and Conditions: Medical advice disclaimer

Disclaimer of Liability

A Disclaimer of Liability will state that your company waives any liability from the use of your site/service/products, such as expressed or implied warranties, errors or omissions, and infallible protection of information.

The sports news website ESPN includes many of these statements in its Warranty Disclaimer:

ESPN Terms and Conditions

Using all capital letters is standard for these types of disclaimers to make sure they're noticed more easily since they're very important for both you and your customers.

Cookies Policy

Cookies Policy

A Cookies Policy is where you disclosure to your users details about the cookies your company uses to collect information.

The use of cookies creates a more user-friendly experience with a site and allows customization. There are multiple types of cookies including ones targeted at security and saving shopping baskets as customers continue to shop.

While companies use cookies to store information, users do have control over the use of many types of cookies. Consumers can reject or accept the cookies and can alter what type of cookies may be used with their information.

When is a Cookies Policy Required?

One of the most important cookie laws you should pay attention to is the EU's Cookies Directive. The Cookies Directive states you must include a separate Cookies Policy for your customers. Having a link to only your Privacy Policy is not enough under this law.

Remember, not only companies based in the EU are subject to this law. Foreign companies are as well if they have customers located in the EU and target EU consumers.

The jewelry company Pandora does business all over the world. This means it must provide a separate Cookies Policy to adhere to the Cookies Directive:

Screenshot of Pandora Cookie Policy intro section

You'll need to link your Cookies Policy in your footer as you do with your Privacy Policy and other legal agreements:

Pandora website footer showing Cookie Policy link

If you are a U.S. company who does not do business with customers in the EU, you can include your Cookies Policy in your general Privacy Policy or even get away with simply having a clause that addresses cookies. You do not have to include a separate link or policy statement from you Privacy Policy.

An example of a US-based company that doesn't need to include a link to a separate Cookies Policy is Casey's. It's an Iowa-based company that only has stores in the U.S. and does not deliver outside of the United States. Note that its footer doesn't have a Cookies Policy link:

Caseys website footer with links

Even if you aren't required to have a Cookies Policy, it may be a good idea to have one anyway. As laws develop further and increase privacy requirements, a Cookies Policy may become mandatory beyond the EU. Also, if your business is growing or you one day wish to expand into the EU market, having this Policy up and ready will save you a step during that busy time of expansion.

Where to Display Your Cookies Policy

Where to Display Your Cookies Policy

The most common place to display a link to your Cookies Policy is in a link in the footer of your site. However, you can also include them in:

  • Pop-ups like your Cookie Consent Notice (discussed in the next section)
  • Sign-up/account creation forms
  • Checkout pages
  • Privacy Policies

There are some companies that do business around the world and have different versions for their website for various locations. If you are just using the U.S. version of a website you won't likely see a Cookies Policy link, but if you access the UK version of the same company's website you will see one, such as the UK version of the news outlet The Guardian:

The Guardian UK website footer with links

As noted, you will also need to display your Cookies Policy link within your cookie consent notice.

Cookie Consent Notices

The GDPR requires that any company in the EU or that has EU customers must get consent for using most types of cookies. The most common way to do this is with a Cookies Consent Notice.

The most common Cookie Consent Notices are pop-ups or banners. These pop-ups appear within seconds of a user accessing your website for the first-time. These notices typically include a brief description that the company uses cookies, why, and where they can access further information (such as in a Cookie Policy).

Patagonia includes a pop-up providing a very in-depth explanation of its cookies use:

Patagonia Cookie Consent Notice

Another example of a Cookie Consent Notice is from Louis Vuitton. The company has included a brief description of the cookies it uses with buttons to accept the cookies or customize specific cookie settings. A link to the Cookie Policy is also included:

Louis Vuitton Cookie Consent Notice

The more clearly you get consent for cookies, the better. The button above labeled with the word "Accept" makes it very clear that something is being accepted. Another option would be to use the words "I Agree" in your consent button.


A company is only as successful as the protections it puts into place for the future. Some of the most important protections can be had by including legal agreements.

There are many legal agreements out there, but these five key agreements are amongst the most important for every business with an online presence:

  • Privacy Policy

    • Required by multiple laws with multiple requirements
    • Discloses how you handle personal information of your users
  • Terms and Conditions

    • Not required by law
    • Helps you maintain control over the use of your website/service
  • Disclaimers

    • Help limit your liability
    • Help warn people about things they should be aware of
    • Important for businesses/websites that give advice, tips, information, etc.
  • Cookies Policy

    • Required by the EU's Cookies Directive
  • Cookies Consent Notice

    • Required by the GDPR
    • Commonly seen as pop-ups and banners
    • Get as clear agreement as possible in your notice by using buttons, labels and checkboxes
    • Link to your Cookies Policy if you have one, or to your Privacy Policy that has a cookies clause