Guest author Alexandra Harmer of Ascenda Law Group discusses the importance of having terms of service and privacy policies for businesses operating in the digital world.
- Users Want Them
- It’s Required by Law if You Collect Personal Information
First, while terms of service are not required by law, keep in mind that if you don’t have terms of service, certain laws might govern visitors’ use of your website, products, and services that you might otherwise wish you contracted around.
- The Americans With Disability Act
- The Cable Communications Policy Act of 1984
- Children’s Internet Protection Act
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- Children’s Online Privacy Protection Rule (COPPA)
Privacy policies are also required by law in many state jurisdictions. For example, in California, the California Online Privacy Protection Act (CalOPPA) requires that if you collect any personal information from any California-based users, like email addresses, GPS location, phone numbers, or mailing addresses, you are required to have a legal statement available for visitors to review that detail the privacy practices of your business. Because of the wide-reaching nature of internet and technology, the CalOPPA Act in effect means that if you collect any kind of personal information, even if it’s only an email address, you should have the CalOPPA required legal statements in place. California also imposes requirements on businesses regarding privacy policies through its California Business & Professions Code.
In the U.S., the sectorial system means enforcement is divided among a number of government agencies, which, in theory, increases their resources for prosecution. In particular, civil and criminal penalties may be levied by the FTC. And, aside from government fines, business owners should also consider the risk of having to pay for liabilities arising from civil claims. While claims from individuals may be less likely, a claim from a consumer watch group is a very real risk.
And, one of the reasons so many companies are taking GDPR so seriously is also because of the hefty fines for non-compliance. The Data Protection Authority (DPA) responsible for enforcing the GDPR is getting a lot of new enforcement authority. While we still aren’t certain how that will affect U.S. companies, it’s important to note that the largest fine the DPA can levy is €20,000,000. And, the fines are (in comparison to the last EU Data Directive) more formalized and harmonized so that they should be easier to apply.
- They May be Required by Third-Party Services You Use
Alexandra Harmer focuses her practice on technology transactions with an emphasis on intellectual property licensing and protection, sales transactions, strategic business development, channel partner programs, and privacy protection policies. Prior to joining Ascenda Law Group, Alexandra was legal counsel at Sega of America, Inc. and clerked at a boutique intellectual property firm in San Francisco.