How Not to Do Website Terms of Use

Client: Hi Paul, we need website terms of use and a privacy policy. We want to save money, so we’ve copied the terms of use and privacy policy for XYZ company, which has a similar product. Please review it for us so we can post it when we launch next week.

Me: [facepalm repeatedly]

This is the classic and all-too-common scenario, and it’s completely the wrong way for a startup to do their website terms of use and privacy policy. First, it’s blatant copyright infringement. Just swapping out your company name for their company name isn’t exactly going to fool anyone.

Second, just because XYZ has a similar product, or operates in roughly the same space, doesn’t mean that they operate exactly how you operate in every single respect. Nor does it mean that their policies and practices will suit your tastes. So unless you plan on copying all of XYZ’s internal policies and practices and operating procedures, much of what is in that terms of use and privacy policy simply won’t be an accurate reflection of your company.

Third, who’s to say that the terms of use or privacy policy that you copied from someone else’s website is any good? It could be a hot mess. They could have copied their terms of use from some company that’s completely unrelated in every way.

As the CEO of a startup, your job is much bigger than just writing software code. You have to run the company. That means putting the time into things like what will go into your terms of use, and developing information collection and handling practices that are accurately reflected in your privacy policy. You have to be intentional about this. When you just send me a terms of use that you copied from someone else, I’m going to push back, and ask you to describe your business model and practices. If you can’t do that, it tells me you haven’t put the time into it yet.

This is an important process, and you cut corners at your risk, and the risk of your investors. Terms of use, if done right, form a binding contract between your company and its customers, a contract that favors you and puts your company in a strong position. Done poorly, and you’re litigating with a customer in a court in Fairbanks, Alaska in February. Privacy policies are increasingly important as states like California, with 38 million residents, pass more and more restrictions on how you can collect and use customer data. You don’t just face the risk of class-action lawsuits, you also have to worry about FTC investigations and fines. Spending your time and money to do things right from the start will save you money, time, and headaches down the road.


Online Privacy Rights for Minors

In a previous post, I wrote about a new California law addressing online privacy rights of minors. That law (California Business & Professions Code Section 22580 to 22582), which took effect on January 1, 2015, does a couple of things. As I wrote in the previous post, the law restricts the kinds of products that can be marketed online to minors under the age of 18. The second thing the new law does is impose content-removal obligations on these website and mobile app operators. That is the subject of this post. The law protects minors who live in California, but it broadly applies to websites and mobile apps located anywhere, if they have users located in California. Since California has more than 9 million residents under the age of 18, out-of-state website and mobile app operators cannot afford to assume that the law doesn’t reach them.

These new content-removal obligations apply to websites and mobile apps that are directed at minors, and also at any websites or mobile apps where the operator has actual knowledge that minors are using it. The operators of these websites and apps must permit minors who are registered users to remove or, if the operator prefers, request and obtain removal of, content or information posted by that registered user. The operator also must notify minors who are registered users that they have these content-removal rights, and provide clear instructions on how to go about getting content or information removed. The operator also has to notify the minors who are registered users that the removal does not ensure complete or comprehensive removal of the content or information.

The operator (or a third party) does not have to erase or eliminate the content or information in any of the following circumstances:

  1. If any other provision of state or federal law requires keeping that content or information.
  2. If the content or information was stored on or posted to the website or mobile app by a third party other than the minor, including content or information that was posted by the minor that the third party has republished or reposted.
  3. If the operator anonymizes the information posted by the minor, so that the minor cannot be individually identified.
  4. If the minor does not follow the instructions on how to obtain the removal of the content.
  5. If the minor has received some kind of compensation for posting the content.

An operator will be considered in compliance with its obligations if it makes the content no longer visible to registered users or the public, even if the content still remains on the operator’s servers. Also, the operator will be in compliance if it removes the content, and then the content remains visible because a third party has reposted it.

If you are operating a website or mobile app directed at minors, or if you know that minors are using your website or app, now is a good time to start implementing procedures to comply with this new law. You will need to set up a mechanism for minors to remove content themselves, or you will need a mechanism for minors to request that you remove the content. You will also need notice provisions. While you might try to implement these changes only with respect to minors who are in California, it may be easier to grant the same rights to minors no matter where they live. Finally, this new law will also require changes to your website’s (or app’s) terms of use and privacy policy.

Follow me on Twitter @PaulHSpitz


Privacy Policy 201 – Online Tracking

I recently posted Privacy Policy 101, discussing some basic elements of a website’s privacy policy. Now that the California Attorney General’s office has released an important policy statement on website privacy practices with respect to Do Not Track (DNT) technology, it’s time for Privacy Policy 201.    

More than 10 years ago, California passed the California Online Privacy Protection Act of 2003 (CalOPPA), the first law in the country that set out requirements for website privacy policies.    CalOPPA applies to the operator of any commercial website or online service (which includes mobile apps) that collects personally identifiable information through the internet about individual consumers residing in California. It would be a mistake for the reader to say, “my company is in Ohio, so this California law doesn’t apply to me.” Chances are, your website has California users. In addition, considering the size of the California market (the most populous US state) and the borderless nature of the internet, it is sound policy for any commercial website operator to comply with CalOPPA, no matter where located.

In Privacy Policy 101, I described three basic requirements:

1.     Notify visitors as to the kinds of personally-identifiable information collected,
2.     Notify visitors as to how the information will be used, and
3.     Advise visitors as to how they can opt out of the collection and use of information.

In 2013, the California legislature amended CalOPPA to deal with the issue of online tracking – the collection of personal information about consumers as they move across web sites and online services. DNT technology is now widespread, and every major web browser incorporates a DNT option in its privacy settings. The CalOPPA amendments require website operators to inform consumers of how they respond to DNT signals and requests. Note that there is no requirement that a website operator actually honor DNT signals or requests. CalOPPA merely requires that the website operator be honest and transparent about how it responds. For example, if a particular website does not honor DNT requests, it should disclose this fact. By doing so, the website enables the consumer to make an informed decision about whether he or she wants to continue to use that website.

The CalOPPA amendments also require the website operator to disclose the possible presence of other parties conducting online tracking on the operator’s website or online service.

The California Attorney General recommends the following practices regarding online tracking and DNT:

First, include a separate, clearly-labeled section about online tracking in your privacy policy

Second, describe how your website responds to DNT signals – whether you honor DNT signals, whether you treat consumers that request DNT differently from consumers that don’t request DNT, and how you use any personally identifiable information collected from consumers that request DNT.

Third, disclose whether any third parties collect personally identifiable information on your site, whether they are or may be conducting online tracking, and whether such tracking conforms to your tracking policy.

As with any significant change, this is a good opportunity to review your practices with respect to online tracking, including an evaluation of how informed consumers will react to your practices.

Follow me on Twitter @PaulHSpitz