Does Your Business Need a Privacy Policy or Terms and Conditions?

Does Your Business Need a Privacy Policy or Terms and Conditions?

Does Your Business Need a Privacy Policy or Terms and Conditions?


Updated: October 13, 2021

Visit most websites and you are likely to see in the page footer mention of a privacy policy along with terms and conditions (also known as terms of service, terms of use or terms).  These statements may also appear when you are accessing restricted content or downloading software or an app.  Privacy policies and terms are important as they provide crucial information about the rights and obligations of the business, the site user, or both.  However, whether your business needs one or the other or both depends on the nature of your site, product, or service.  Even if they are not a necessity for legal reasons, they are likely to be helpful to your business and you should consider adding them to your site.


Terms describe what a user must agree to prior to entering into a transaction with the provider of the product or service.  The terms establish a legally binding contract (otherwise known as a “click-wrap” agreement), that a user agrees to by clicking a button.

There is no legal requirement to provide terms.  However, they are recommended because they allow companies to control the use of their products and services and minimize liability for any problems users may have.


  • Restrictions on how the product/service may be used
  • Consequences of unauthorized use (termination, removal of user’s content, financial penalties, etc.)
  • Refund and cancellation policies
  • Payment terms
  • Ownership of intellectual property
  • Limitations of liability
  • Dispute resolution mechanism

As noted above, terms are essentially a contract between your company and users who visit and use your website and as such, are commonly drafted by an attorney to ensure the company’s rights are protected and enforceable.


Businesses that collect consumers’ personal information online are required to have a privacy policy that discloses the types of personal information the business collects and how that data will be stored, shared, and protected.  The purpose of a privacy policy is to inform consumers about their rights and give them the ability to opt out of sharing their information either by not providing their information or limiting its use.  However, it also helps companies establish a more transparent trusting relationship with consumers and minimize potential liability in the event of security breaches.

Notably, most privacy laws require that policies be written clearly and succinctly since they are meant to educate and protect consumers.  Policies must explain what specific information is being collected; why it is being collected; how it will be processed and used; what security measures exist; and how users can access it, opt out from sharing of their data, and request their data be deleted.

Unfortunately, there is no general federal privacy law that sets forth what specific terms must be in a privacy policy.  Instead, consumer privacy is protected by a host of federal, state, and international laws.  At the federal level, the Federal Trade Commission protects consumers from unfair and deceptive trade practices so privacy policies cannot be false or misleading.  In addition, there are industry or content-specific privacy laws that apply to financial institutions (Gramm-Leach-Bliley Act), collection of information from children (Children’s Online Privacy Protection Act), pornography (Controlling the Assault of Non-Solicited Pornography and Marketing Act), and health information (Health Insurance Portability and Accountability Act).

At the state level, California is the leader with the California Consumer Privacy Act (CCPA).  The CCPA gives California residents the right to control how businesses use their personal information and mandates that entities meet certain privacy and security requirements.  The law applies to entities that hold or collect private information of California residents, do business in the state, and meet a specific financial or data quantity threshold.  Since it may not be practical to refuse to deal with California residents to avoid the CCPA, many businesses follow California’s privacy law regardless of where they typically operate.  However, other state laws may also apply.  New York has a privacy bill that is pending in the legislature, which is similar to the CCPA.

Businesses with data on residents of other countries may also have to comply with their laws.  The best known of these is the General Data Protection Regulation (GDPR) that protects the privacy of residents of the European Union. 

Finally, in addition to government requirements, some third-party service providers require that websites using their services have a privacy policy.


Anyone doing business online should consult an attorney about how to protect their rights and minimize their liability using terms and privacy policies.  Terms, like any contract, are often drafted or vetted by an attorney to ensure the company’s rights are protected and enforceable.  Privacy policies are subject to a wide array of privacy laws, so it is essential to consult an attorney to ensure compliance.

Photo by Marija Zaric on Unsplash

Related Posts


This Blog is made available by Romano Law PLLC for general informational and educational purposes only, not to provide specific legal advice. By using this Blog you understand that there is no attorney client relationship between you and Romano Law PLLC or any individual contributor. You should consult a licensed professional attorney for individual advice regarding your own situation.

Request A Consultation

Please give us a call:

Schedule an appointment:

Or send us a message:

  • This field is for validation purposes and should be left unchanged.