Guest author Alexandra Harmer of Ascenda Law Group discusses the importance of having terms of service and privacy policies for businesses operating in the digital world. 

If you receive email, you have likely received many of the seemingly endless notices notifying you that [insert Vendor name here] has updated its website terms of service and privacy policy in the wake of the enactment of the General Data Protection Regulation (GDPR). You may even have had a good laugh at one of the many memes inspired by this phenomenon. But aside from perhaps having a good laugh and deleting more emails than normal, you might also be wondering if your website terms of service and/or privacy policy need an update, or if you need these documents at all. Facebook and Twitter have them, but does that mean every website needs them? Below are three reasons why you may need website terms of service and a privacy policy or should be updating the ones you currently have.

1. Users Want Them

At the heart of it, terms of service and privacy policies are contracts, which act as guides, explaining the relationship you have with another party. A contract tells each party what it can expect from the association, and, if well drafted, can even help resolve disputes without litigation. In the case of website terms of service and privacy policies, these documents tell the visitor what their rights are, and may include information about how to use the website, what the relevant policies are (like, return policies and, yes, privacy policies). Making your terms readily available means customers don’t have to spend time contacting you to ask a myriad of questions about your policies, and won’t need to violate your terms in order to find out that they’ve done something they shouldn’t have. Having clear website terms of use can also reduce issues down the line simply because you have already let visitors know what your policies are and how they can comply with them.

With privacy policies in particular, visitors want to (and in many jurisdictions have the right to—more on that later) know what data you’re collecting about them and how you’re using it. These days, because personal information theft is more common, people are warier about the data they share and who they share it with; people care about their privacy. Most visitors want to feel secure before providing private information, such as their home address or even their name or email address. Thus, a privacy policy is a great way to show your visitors that you can be trusted, and that you have the necessary protections and procedures in place to handle their personal information with care.

If you haven’t updated your contracts following GDPR, you should consider it. I could write a very long post about what has changed for data processors since GDPR was enacted and how that affects privacy practices, but perhaps the principal takeaway is: greater transparency. If GDPR applies to you, (and it does if you have an established office in the EU, transfer data from the EU, or you target EU customers through your website), then you are required to be transparent about details regarding such data, including (for example) what data you are collecting, how you collect it, how you use it, and who you share it with. Also, you have to give the data subject (the person from or about whom you are collecting the data) certain rights to control the personal data you have in your possession, including giving them the right to change it, revoke their consent for you to use it, or require that you delete it at any time. All of this should be carefully detailed in your privacy policy so that visitors can easily understand their rights and your obligations regarding their data. It’s important to note that having a privacy policy does not, by itself, mean that you have complied with GDPR However, having an up to date and compliant privacy policy is significant in making visitors aware of the steps you have taken to comply with relevant law and protect their personal data.

2. It’s Required by Law if You Collect Personal Information

First, while terms of service are not required by law, keep in mind that if you don’t have terms of service, certain laws might govern visitors’ use of your website, products, and services that you might otherwise wish you contracted around.

Second, while there isn’t a single federal law that requires U.S. companies to have a privacy policy, the totality of various federal and state laws indicate that you should, regardless of where in the U.S. you operate. The U.S. takes a sectorial approach to privacy enforcement, i.e., one set of laws for the health sector, one for the financial sector, etc. This approach differs from the EU, which takes a more blanket approach (i.e., GDPR): a baseline of data protection, consents, and disclosures are required for all businesses before collecting or using any personal data and more stringent requirements are placed on businesses collecting more sensitive information (like financial or health information). But even if you don’t collect “sensitive data,” the Federal Trade Commission (FTC) governs data protection for all consumers in the U.S., and the following statutes (among others) regulate personal information in some form or another:

• The Americans With Disability Act
• The Cable Communications Policy Act of 1984
• Children’s Internet Protection Act
• The Computer Fraud and Abuse Act of 1986
• The Computer Security Act of 1997
• The Consumer Credit Reporting Control Act
• Children’s Online Privacy Protection Rule (COPPA)

Privacy policies are also required by law in many state jurisdictions. For example, in California, the California Online Privacy Protection Act (CalOPPA) requires that if you collect any personal information from any California-based users, like email addresses, GPS location, phone numbers, or mailing addresses, you are required to have a legal statement available for visitors to review that detail the privacy practices of your business. Because of the wide-reaching nature of internet and technology, the CalOPPA Act in effect means that if you collect any kind of personal information, even if it’s only an email address, you should have the CalOPPA required legal statements in place. California also imposes requirements on businesses regarding privacy policies through its California Business & Professions Code.

In the U.S., the sectorial system means enforcement is divided among a number of government agencies, which, in theory, increases their resources for prosecution. In particular, civil and criminal penalties may be levied by the FTC. And, aside from government fines, business owners should also consider the risk of having to pay for liabilities arising from civil claims. While claims from individuals may be less likely, a claim from a consumer watch group is a very real risk.

And, one of the reasons so many companies are taking GDPR so seriously is also because of the hefty fines for non-compliance. The Data Protection Authority (DPA) responsible for enforcing the GDPR is getting a lot of new enforcement authority. While we still aren’t certain how that will affect U.S. companies, it’s important to note that the largest fine the DPA can levy is €20,000,000. And, the fines are (in comparison to the last EU Data Directive) more formalized and harmonized so that they should be easier to apply.

3. They May be Required by Third-Party Services You Use

Many third-party services that are designed to enhance websites or apps such as Google AdWords or Google Analytics, require that business utilizing their services have a privacy policy that contains certain information about such businesses use of their services, plugins, SDKs, etc. Google Analytics in particular requires a privacy policy because it stores cookies on a user’s computer, which are then used to collect data about the visitor.

Because of Google Analytics’ use of cookies, both CalOPPA and the EU Cookies Directive require you to disclose both your usage of Google Analytics and the services’ cookies usage, which you could accomplish in your privacy policy. If you already use cookies and do not yet have a detailed cookie policy that complies with the EU Cookies Directive and CalOPPA, it is likely time to either create one or update your existing version. But Google Analytics is just an example: Google AdWords, Facebook, Twitter, GoogleAds, and the Apple App and Google Play stores (just to name a few) all have similar requirements.

So, what does all this mean, practically, for your business? With more emphasis on privacy in the cyber-world, you should consider updating your current privacy policy and website terms of services with an expert. And, if you don’t yet have a privacy policy and website terms of service, you should promptly take steps to create such documents.

Alexandra Harmer focuses her practice on technology transactions with an emphasis on intellectual property licensing and protection, sales transactions, strategic business development, channel partner programs, and privacy protection policies. Prior to joining Ascenda Law Group, Alexandra was legal counsel at Sega of America, Inc. and clerked at a boutique intellectual property firm in San Francisco.