Home /Blogs/Does Your Business Need Terms of Service and a Privacy Policy?
October 28, 2022 | BusinessFrom the blog

Does Your Business Need Terms of Service and a Privacy Policy?

post image
Ru Hochen

Associate Attorney

Visit most websites and you are likely to see in the page footer mention of a privacy policy and terms of service (also known as “terms and conditions,” “terms of use” or simply “terms”).  These statements may also appear when you are registering for an online account, accessing restricted content, purchasing goods or services online, or downloading software or apps.  Terms and privacy policies provide crucial information about the rights and obligations of the business provider and the site user.  Whether your business needs these policies and which specific clauses should be included will depend largely on the nature of your business.


What Are Terms and Conditions, and Do You Need Them?

Terms and conditions describe what a user must agree to prior to entering into a transaction with the provider of the product or service.  Once a user has agreed to them, the terms establish a legally binding contract.  The terms often appear on a website or app in the form of a “click-wrap” agreement, where a user agrees by clicking a button.

Legally, a business is not required to provide terms and conditions on their website.  However, they are recommended because they allow companies to control the use of their products and services and minimize liability.  Additionally, courts have found click-wrap terms enforceable even when the user claims to have not read the terms.  Displaying these terms on your website in a clear, conspicuous manner would give you added protections.

What Should Be Included in Your Terms and Conditions?

Common provisions to consider adding to your terms and conditions are:

  • Restrictions on how the product/service may be used;
  • Consequences of unauthorized use (e.g., account suspension or termination, removal of user’s content, financial penalties, etc.);
  • Ownership of intellectual property;
  • Limitations of liability;
  • Governing law;
  • Dispute resolution mechanism.

The rest of the terms may vary depending on the type of business you operate.  For instance, an e-commerce business may consider adding payment and shipping terms as well as refund and cancellation policies.  For a social media site, the platform provider often includes terms about age restrictions and certain forbidden content or conduct to protect other users on the site.


When Do You Need a Privacy Policy?

In the U.S., while currently there is no uniform federal law requiring a privacy policy for every single business, your business may very well be subject to several federal, state and international laws.  Generally, businesses that collect consumers’ personal information are required to provide notice, disclosing the types of personal information being collected and how that data will be used, stored, shared and protected.  A privacy policy serves that function and informs consumers about their rights to data and the business’s data collection practice.  It also helps companies establish a more transparent, trusting relationship with consumers and minimize potential liability in the event of security breaches.

What Should Be Included in a Privacy Policy? 

While there are no specifically required terms in a privacy policy, most privacy laws require that policies be written clearly and succinctly, since they are meant to provide adequate notice to consumers.  Policies must explain what specific information is being collected; why it is being collected; how it will be processed and used; what security measures are adopted; and how users can access it, opt out from data-sharing, or request certain data be deleted.

Other Compliance Considerations

As noted above, consumer privacy is regulated by a host of federal, state and even international laws.  There is no federal omnibus privacy law, but at the federal level, the Federal Trade Commission (FTC) protects consumers from unfair and deceptive trade practices.  As a result, privacy policies must not be false or misleading.  Failure to comply with your own privacy statement could lead to FTC enforcement actions against your company.  In addition, if you work in a specific industry or collect certain sensitive data, you should pay close attention to certain sector-specific or content-specific privacy laws.  For instance, any entity that collects information from children under 13 years old should be aware of certain consent requirements under the Children’s Online Privacy Protection Act (COPPA).  The federal government also sets forth stringent rules about the collection of sensitive health information under the Health Insurance Portability and Accountability Act (HIPAA).  Further, if your business regularly sends advertising or marketing emails to customers, be sure to include an “opt-out” or “unsubscribe” option as required by the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

At the state level, very few states have adopted fully-fledged privacy acts, but recently, California passed the California Consumer Privacy Act (CCPA).  The CCPA gives California residents the right to control how businesses use their personal information and mandates that entities meet certain privacy and security requirements.  Even if your company is not physically located in California, the CCPA may still apply if your company holds or collects private information of California residents, does business in the state, and meets a specific financial or data quantity threshold.  Since it may not be practical to refuse dealing with California residents to avoid the CCPA, many businesses follow California’s privacy law regardless of where they typically operate.  Following California’s lead, a privacy bill similar to the CCPA is pending in New York’s state legislature.

Businesses with data on residents of other countries may also have to comply with the laws of those countries.  The best known of these is the General Data Protection Regulation (GDPR) that protects the privacy of residents of the European Union.  Entities doing cross-border transactions with Chinese entities or residents should also be aware of China’s latest Personal Information Protection Law that largely mirrors the GDPR’s stringent requirements.


Anyone doing business online should consult an attorney about how to protect their rights and minimize their liability using terms of service and privacy policies.  Terms, like any contract, are often drafted or vetted by an attorney to ensure the company’s rights are protected and enforceable.  Privacy policies are subject to a wide array of privacy laws, so it is important to consult an attorney to ensure compliance.  Contact a member of our team for next steps.

[This blog post has been updated from a previous version, published October 13, 2021]

Carlianna Dengel is admitted to practice law in New York and California.

Photo by Thomas Lefebvre on Unsplash
Share This