A Privacy Policy explains to your users how you'll be using their personal data, what steps you've taken to keep it safe, and how they can exercise their rights over their personal data. A Terms and Conditions agreement sets out what's expected from both you and your users. The agreement can be used to manage your users' activity and expectations, and to protect your company from legal issues.
Together, these agreements help ensure that you're compliant with consumer privacy laws and protecting yourself against any potential legal problems.
- 1. Privacy Policies
- 1.1. A Privacy Policy is Required by Law
- 1.1.1. European Union (EU) Law
- 1.1.2. United States (U.S.) Law
- 1.2. A Privacy Policy is Required by Third Parties
- 1.2.1. Website Software/Hosting Services
- 1.2.2. Ecommerce Services
- 1.3. Key Features of a Privacy Policy
- 1.3.1. Who Your Users Can Contact About Their Data
- 1.3.2. Types of Personal Data You Process
- 1.3.3. How You Process Personal Data
- 1.3.4. Information About Third Parties
- 2. Terms & Conditions
- 2.1. Key Benefits and Features of a Terms & Conditions Agreement
- 2.1.1. Setting Out Your Rules
- 2.1.2. Protecting Your Company from Legal Action
- 2.1.3. Explaining the Reasons You Can Terminate Service
- 2.1.4. Establishing Your Intellectual Property Rights
- 3. Privacy Policy and Terms & Conditions - Key Differences
Privacy Policies
Creating a Privacy Policy is essential. If your company handles personal data in any way, you're required by law to have a Privacy Policy. Creating a Privacy Policy will also help your company consider whether it's complying with other aspects of privacy law.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
Additionally, a Privacy Policy helps reassure your users that your company is looking after their personal data appropriately.
A Privacy Policy is Required by Law
Many privacy laws requires a Privacy Policy. It's practically impossible for any company with an online presence to avoid falling under the jurisdiction of one of these laws.
European Union (EU) Law
The EU's General Data Protection Regulation (GDPR) privacy law is notoriously rigorous and applies to any individual or organization which is:
- Engaged in economic activity, and
- Processing the personal data of EU citizens
These are the only two conditions required for you to fall under the GDPR. Your company doesn't need to be based in the EU - you just need to be dealing with citizens of EU Member States. This includes Germany, France, Sweden - even the UK will remain compliant with the GDPR upon leaving the EU.
In case you're wondering whether your company "processes personal data":
- "Personal data," defined at Article 4(1) of the GDPR, means anything that could conceivably be used to "identify an individual" - including a person's name, and even their browser cookies.
- "Processing," defined at Article 4(2) of the GDPR, means doing just about anything with that data - keeping a record of a person's name, having your website store your users' browser cookies.
United States (U.S.) Law
Another example of a privacy law that requires a Privacy Policy is the California Online Privacy Protection Act (CalOPPA). This privacy law is the most stringent in the U.S., and applies to anyone:
"that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service"
Under CalOPPA, your company is required to "conspicuously post its privacy policy on its Web site."
The law applies not only to companies located in the State of California, but also to any company or website that plans to have California residents amongst its users. Given that it's not really possible to exclude these 40 million people from your website or app, you need to comply with this law by creating a Privacy Policy.
A Privacy Policy is Required by Third Parties
Your company's website most likely makes use of third-party services such as website building or hosting software or ecommerce software. The Terms & Conditions of most of these third parties will often require you to have a Privacy Policy - either directly or indirectly, by requiring you to obey with privacy laws as a term of using the service.
Website Software/Hosting Services
Although it states that it's unable to give legal advice on what to include in a Privacy Policy, website development and hosting service Squarespace does advise its users of the following in relation to the GDPR:
Website development and hosting service Wix also requires a Privacy Policy for any of its users who take payments through their site. More generally, Wix requires its users to obey the law and not violate user rights.
Take a look at the following section of Wix's Terms of Use:
Ecommerce Services
If you're taking payments on your website or app, you'll need your own Privacy Policy - even if you're using a third party to facilitate this. As part of their Terms & Conditions, almost all ecommerce services require their merchants (users) to have a Privacy Policy.
Take a look at this section of ecommerce platform Shopify's Privacy Policy:
Key Features of a Privacy Policy
What you need to include in your Privacy Policy depends partly on who'll be using your services. However, there are certain requirements common to various privacy laws that your company's Privacy Policy will need to comply with.
Who Your Users Can Contact About Their Data
Your Privacy Policy needs to tell your users who you are and how they can contact you.
Let's see how insurance company RAC provides its contact details in its Privacy Policy:
Types of Personal Data You Process
Article 12(1) of the GDPR requires that companies supply information about any data they are processing "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
A good place to start is by explaining to your users what type of personal data you'll be collecting from them.
Here's how IKEA does this in its Privacy Policy:
Even if your company isn't asking your users to actively supply personal data, you'll need to inform them about your use of browser information such as cookies.
Accounting software company Sage handles this by publishing a separate Cookies Policy which is incorporated into its main Privacy Policy. Here's a small excerpt:
CalOPPA requires you to inform California residents of how your website responds to Do Not Track (DNT) signals. This is a feature of some web browsers which asks websites to disable tracking mechanisms such as cookies.
Here's how Land Rover USA complies with this:
Note that CalOPPA doesn't require your website to honor DNT requests - but it does require transparency.
How You Process Personal Data
Your Privacy Policy needs to explain to your users the ways in which your company will use their personal data.
Here's part of how Apple explains this:
Information About Third Parties
There are a number of reasons that you might need to pass your users' information onto third parties. Under Article 4(8) of the GDPR, an organization that processes data on the data controller's behalf is known as a "data processor." A data processor might be:
- An ecommerce platform which takes payments on your company's behalf
- A database software company which stores customer details on your behalf
- A survey company which gathers feedback on your behalf
If a data processor you work with is processing EU citizens' personal data outside of the EU, you should make reference to this in your Privacy Policy, together with some information about how they meet the standards of the GDPR.
Here's an example of the UK Government's website GOV.UK does this:
Note that your Privacy Policy doesn't necessarily need to give the actual names of the third parties you are sharing your users' personal data with - Article 30(1)(d) of the GDPR only requires it to provide: "the categories of recipients to whom the personal data have been or will be disclosed [...]."
Terms & Conditions
A Terms & Conditions agreement (sometimes called Terms of Use or Terms of Service) sets out what your company expects of its users, and what your users can expect from your company in return.
Our Free Terms and Conditions Generator is created to help you generate a professionally drafted agreement that can include various terms and conditions for your site and/or app.
- Start the Free Terms and Conditions Generator from our website.
- Select platforms where your Terms and Conditions will be used (website, app or both):
- Answer a few questions about your website or app information:
- Select the country:
- Answer a few questions about your business practices:
-
Enter your email address where you'd like to receive the new Free Terms and Conditions and click "Generate":
Once generated, you can copy and paste your Free Terms and Conditions agreement on your website or app or link to your hosted Free Terms and Conditions page.
Terms & Conditions are not a legal requirement in the same way as a Privacy Policy.
However, having a clear set of Terms & Conditions is highly beneficial for any company:
- Terms & Conditions are an agreement between you can your users about what they can and cannot do when using your service.
- Terms & Conditions can protect or limit the damage that can be caused to your company through legal action.
- Terms & Conditions can allow you to fairly withdraw or suspend service.
Key Benefits and Features of a Terms & Conditions Agreement
What you include in your Terms & Conditions largely depends on the nature of your company and your online presence. These are some of the general and universal benefits of having a Terms & Conditions agreement:
Setting Out Your Rules
Terms & Conditions help you regulate the activities of you users. This can help you to avoid potential legal issues with, for example, User Generated Content. If your Terms & Conditions agreement makes the rules of your website or service clear from the outset, your company is less likely to spend time dealing with inappropriate content.
There are a number of options when it comes to setting these rules out in your Terms & Conditions. Some companies choose to have a separate document called "Community Standards" or "Acceptable Use Policy." This is fine, but you must be sure to incorporate this into your main Terms & Conditions.
Take a look at how Facebook handles this:
You can see that Facebook states in its Terms & Conditions that users may not breach its Community Standards. By mentioning its Community Standards in its Terms & Conditions, Facebook has ensured that its Community Standards have the same binding status as its main Terms & Conditions.
Here's a small excerpt from the Community Standards, which you can see elaborates on what's included in the Terms & Conditions:
Protecting Your Company from Legal Action
When properly constructed and agreed to, Terms & Conditions are legally binding on your users. This means that your company can use them to defend against legal action brought by its users. Your company's users might, in some circumstances, be able to rely on your Terms & Conditions in court, too - but remember that it's your company that calls the shots as to what goes into your Terms & Conditions.
Your company's Terms & Conditions might, for example, contain an indemnity clause protecting it from any legal issues caused by User Generated Content.
Here's how the Washington Post handles this in its Terms & Conditions:
Washington Post uses the phrase "hold harmless" here - an indemnity clause is sometimes known as a Hold Harmless clause. The effect of such a clause would be to render the user legally responsible for any costs associated with illegal activity they commit on your company's site.
For example, if a user makes defamatory comments on your website and the defamed person sues you, the user would be responsible for covering any legal costs or damages you are required to pay out as a result of their defamatory activity.
Explaining the Reasons You Can Terminate Service
If your company's website or app offers users the option of creating an account for the purposes of making comments or submitting other User Generated Content, you need to have the option to suspend or terminate these accounts.
By including this in your company's Terms & Conditions, you remain in control over who may submit content to your pages.
Here's how LinkedIn explains this to its users:
Here's how Fox News approaches the issue of account termination. You'll notice that Fox News grants itself a lot more discretion than LinkedIn in this regard:
Establishing Your Intellectual Property Rights
You can use your Terms & Conditions as a way to ensure that you retain the rights over the content on your site. You can refer to this clause if any of your users violate your copyright or trademark rights.
Here's how not-for-profit FinTech North establish its Intellectual Property rights in its Terms & Conditions:
Privacy Policy and Terms & Conditions - Key Differences
It's both important and beneficial for your company to have both a Privacy Policy and a set of Terms & Conditions. Taking the time to produce these documents will help ensure that your company is operating in a legally compliant and transparent way.
A Privacy Policy:
- Provides information about your company's data protection and privacy practices.
-
Is required by law, for example by:
- The EU's GDPR
- California's CalOPPA
- Canada's Personal Information Protection and Electronic Documents Act (the PIPEDA privacy law)
-
Is required by many third parties, including:
- Website development software companies
- eCommerce store software companies
- Analytics and advertising services
-
Should contain information about:
- Contact details for your company
- The types of personal data your company processes
- The reasons you need to process this personal data
- The ways in which you process personal data
- Any third parties with whom you share your users' personal data
Terms & Conditions:
- Set out the rules of your company's website or service and help you deal with any legal issues that might come up.
- Are not required by law, but are likely to prevent or mitigate against legal problems.
-
Can contain clauses that:
- Set out the rules that users of your website or service have to obey.
- Exclude or limit legal liability for the activities of users on your website.
- Explain the grounds on which you can terminate or suspend your users' use of your website or service.
- Establish that the content on your company's website is your company's Intellectual Property.