Privacy Policies versus Terms and Conditions

A Privacy Policy explains to your users how you'll be using their personal data, what steps you've taken to keep it safe, and how they can exercise their rights over their personal data. A Terms and Conditions agreement sets out what's expected from both you and your users. The agreement can be used to manage your users' activity and expectations, and to protect your company from legal issues.

Together, these agreements help ensure that you're compliant with consumer privacy laws and protecting yourself against any potential legal problems.

Privacy Policies

Creating a Privacy Policy is essential. If your company handles personal data in any way, you're required by law to have a Privacy Policy. Creating a Privacy Policy will also help your company consider whether it's complying with other aspects of privacy law.

Additionally, a Privacy Policy helps reassure your users that your company is looking after their personal data appropriately.

A Privacy Policy is Required by Law

Many privacy laws requires a Privacy Policy. It's practically impossible for any company with an online presence to avoid falling under the jurisdiction of one of these laws.

European Union (EU) Law

The EU's General Data Protection Regulation (GDPR) privacy law is notoriously rigorous and applies to any individual or organization which is:

Engaged in economic activity, and
Processing the personal data of EU citizens

These are the only two conditions required for you to fall under the GDPR. Your company doesn't need to be based in the EU - you just need to be dealing with citizens of EU Member States. This includes Germany, France, Sweden - even the UK will remain compliant with the GDPR upon leaving the EU.

In case you're wondering whether your company "processes personal data":

"Personal data," defined at Article 4(1) of the GDPR, means anything that could conceivably be used to "identify an individual" - including a person's name, and even their browser cookies.
"Processing," defined at Article 4(2) of the GDPR, means doing just about anything with that data - keeping a record of a person's name, having your website store your users' browser cookies.

United States (U.S.) Law

Another example of a privacy law that requires a Privacy Policy is the California Online Privacy Protection Act (CalOPPA). This privacy law is the most stringent in the U.S., and applies to anyone:

"that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service"

Under CalOPPA, your company is required to "conspicuously post its privacy policy on its Web site."

The law applies not only to companies located in the State of California, but also to any company or website that plans to have California residents amongst its users. Given that it's not really possible to exclude these 40 million people from your website or app, you need to comply with this law by creating a Privacy Policy.

A Privacy Policy is Required by Third Parties

Your company's website most likely makes use of third-party services such as website building or hosting software or ecommerce software. The Terms & Conditions of most of these third parties will often require you to have a Privacy Policy - either directly or indirectly, by requiring you to obey with privacy laws as a term of using the service.

Website Software/Hosting Services

Although it states that it's unable to give legal advice on what to include in a Privacy Policy, website development and hosting service Squarespace does advise its users of the following in relation to the GDPR:

Squarespace GDPR Best Practices guidance: Create or Update Your Privacy Policy

Website development and hosting service Wix also requires a Privacy Policy for any of its users who take payments through their site. More generally, Wix requires its users to obey the law and not violate user rights.

Take a look at the following section of Wix's Terms of Use:

Wix Terms of Use: Clause covering restrictions and privacy rights

Ecommerce Services

If you're taking payments on your website or app, you'll need your own Privacy Policy - even if you're using a third party to facilitate this. As part of their Terms & Conditions, almost all ecommerce services require their merchants (users) to have a Privacy Policy.

Take a look at this section of ecommerce platform Shopify's Privacy Policy:

Shopify Privacy Policy: Information from merchants clause with Privacy Policy requirement

Key Features of a Privacy Policy

What you need to include in your Privacy Policy depends partly on who'll be using your services. However, there are certain requirements common to various privacy laws that your company's Privacy Policy will need to comply with.

Who Your Users Can Contact About Their Data

Your Privacy Policy needs to tell your users who you are and how they can contact you.

Let's see how insurance company RAC provides its contact details in its Privacy Policy:

RAC UK Privacy Policy: Who we are clause - contact information

Types of Personal Data You Process

Article 12(1) of the GDPR requires that companies supply information about any data they are processing "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

A good place to start is by explaining to your users what type of personal data you'll be collecting from them.

Here's how IKEA does this in its Privacy Policy:

IKEA Privacy Policy: What personal data do we collect clause

Even if your company isn't asking your users to actively supply personal data, you'll need to inform them about your use of browser information such as cookies.

Accounting software company Sage handles this by publishing a separate Cookies Policy which is incorporated into its main Privacy Policy. Here's a small excerpt:

Sage Cookies Policy: Screenshot of excerpt of intro

CalOPPA requires you to inform California residents of how your website responds to Do Not Track (DNT) signals. This is a feature of some web browsers which asks websites to disable tracking mechanisms such as cookies.

Here's how Land Rover USA complies with this:

Land Rover USA Privacy Policy: DNT - Do Not Track clause

Note that CalOPPA doesn't require your website to honor DNT requests - but it does require transparency.

How You Process Personal Data

Your Privacy Policy needs to explain to your users the ways in which your company will use their personal data.

Here's part of how Apple explains this:

Apple UK Privacy Policy: How we use your personal information clause excerpt

Information About Third Parties

There are a number of reasons that you might need to pass your users' information onto third parties. Under Article 4(8) of the GDPR, an organization that processes data on the data controller's behalf is known as a "data processor." A data processor might be:

An ecommerce platform which takes payments on your company's behalf
A database software company which stores customer details on your behalf
A survey company which gathers feedback on your behalf

If a data processor you work with is processing EU citizens' personal data outside of the EU, you should make reference to this in your Privacy Policy, together with some information about how they meet the standards of the GDPR.

Here's an example of the UK Government's website GOV.UK does this:

Note that your Privacy Policy doesn't necessarily need to give the actual names of the third parties you are sharing your users' personal data with - Article 30(1)(d) of the GDPR only requires it to provide: "the categories of recipients to whom the personal data have been or will be disclosed [...]."

Terms & Conditions

Terms and Conditions

A Terms & Conditions agreement (sometimes called Terms of Use or Terms of Service) sets out what your company expects of its users, and what your users can expect from your company in return.

Terms & Conditions are not a legal requirement in the same way as a Privacy Policy.

However, having a clear set of Terms & Conditions is highly beneficial for any company:

Terms & Conditions are an agreement between you can your users about what they can and cannot do when using your service.
Terms & Conditions can protect or limit the damage that can be caused to your company through legal action.
Terms & Conditions can allow you to fairly withdraw or suspend service.

Key Benefits and Features of a Terms & Conditions Agreement

Key Benefits and Features of T and C

What you include in your Terms & Conditions largely depends on the nature of your company and your online presence. These are some of the general and universal benefits of having a Terms & Conditions agreement:

Setting Out Your Rules

Terms & Conditions help you regulate the activities of you users. This can help you to avoid potential legal issues with, for example, User Generated Content. If your Terms & Conditions agreement makes the rules of your website or service clear from the outset, your company is less likely to spend time dealing with inappropriate content.

There are a number of options when it comes to setting these rules out in your Terms & Conditions. Some companies choose to have a separate document called "Community Standards" or "Acceptable Use Policy." This is fine, but you must be sure to incorporate this into your main Terms & Conditions.

Take a look at how Facebook handles this:

You can see that Facebook states in its Terms & Conditions that users may not breach its Community Standards. By mentioning its Community Standards in its Terms & Conditions, Facebook has ensured that its Community Standards have the same binding status as its main Terms & Conditions.

Here's a small excerpt from the Community Standards, which you can see elaborates on what's included in the Terms & Conditions:

Protecting Your Company from Legal Action

When properly constructed and agreed to, Terms & Conditions are legally binding on your users. This means that your company can use them to defend against legal action brought by its users. Your company's users might, in some circumstances, be able to rely on your Terms & Conditions in court, too - but remember that it's your company that calls the shots as to what goes into your Terms & Conditions.

Your company's Terms & Conditions might, for example, contain an indemnity clause protecting it from any legal issues caused by User Generated Content.

Here's how the Washington Post handles this in its Terms & Conditions:

Washington Post Terms and Conditions: Indemnification clause

Washington Post uses the phrase "hold harmless" here - an indemnity clause is sometimes known as a Hold Harmless clause. The effect of such a clause would be to render the user legally responsible for any costs associated with illegal activity they commit on your company's site.

For example, if a user makes defamatory comments on your website and the defamed person sues you, the user would be responsible for covering any legal costs or damages you are required to pay out as a result of their defamatory activity.

Explaining the Reasons You Can Terminate Service

If your company's website or app offers users the option of creating an account for the purposes of making comments or submitting other User Generated Content, you need to have the option to suspend or terminate these accounts.

By including this in your company's Terms & Conditions, you remain in control over who may submit content to your pages.

Here's how LinkedIn explains this to its users:

Here's how Fox News approaches the issue of account termination. You'll notice that Fox News grants itself a lot more discretion than LinkedIn in this regard:

Fox News Terms of Use: Termination clause

Establishing Your Intellectual Property Rights

You can use your Terms & Conditions as a way to ensure that you retain the rights over the content on your site. You can refer to this clause if any of your users violate your copyright or trademark rights.

Here's how not-for-profit FinTech North establish its Intellectual Property rights in its Terms & Conditions:

FinTech North UK Terms and Conditions: Copyright and Trademark Information clause

Privacy Policy and Terms & Conditions - Key Differences

Key Difference

It's both important and beneficial for your company to have both a Privacy Policy and a set of Terms & Conditions. Taking the time to produce these documents will help ensure that your company is operating in a legally compliant and transparent way.

A Privacy Policy:

Provides information about your company's data protection and privacy practices.
Is required by law, for example by:
- The EU's GDPR
- California's CalOPPA
- Canada's Personal Information Protection and Electronic Documents Act (the PIPEDA privacy law)
Is required by many third parties, including:
- Website development software companies
- eCommerce store software companies
- Analytics and advertising services
Should contain information about:
- Contact details for your company
- The types of personal data your company processes
- The reasons you need to process this personal data
- The ways in which you process personal data
- Any third parties with whom you share your users' personal data

Terms & Conditions:

Set out the rules of your company's website or service and help you deal with any legal issues that might come up.
Are not required by law, but are likely to prevent or mitigate against legal problems.
Can contain clauses that:
- Set out the rules that users of your website or service have to obey.
- Exclude or limit legal liability for the activities of users on your website.
- Explain the grounds on which you can terminate or suspend your users' use of your website or service.
- Establish that the content on your company's website is your company's Intellectual Property.

About this article

Last updated

This article was last updated on 07 September 2022.

Author

FreePrivacyPolicy Legal Writing Team

Privacy Policies versus Terms and Conditions