Every Business Website Needs These Documents
If your business has a website, you need two legal documents: terms of service and a privacy policy. These are not optional extras. They protect your business from liability, set expectations with users, and keep you compliant with federal and state privacy laws.
Skipping these documents exposes you to lawsuits, regulatory fines, and loss of customer trust. Getting them right is straightforward if you understand what they need to contain and why.
Terms of Service: Your Website's Rulebook
Terms of service (also called terms of use or terms and conditions) establish the rules users must follow when using your website. They also limit your liability and protect your intellectual property.
What to Include in Your Terms of Service
Acceptance of terms. State that by using your website, the user agrees to your terms. This can be implicit (browsewrap) or explicit (clickwrap). Clickwrap agreements, where users must check a box, are more enforceable.
Description of services. Explain what your website offers and any limitations on those services.
User responsibilities. Define acceptable use. Prohibit activities like scraping, hacking, uploading malware, or using your site for illegal purposes.
Account terms. If users create accounts, cover password responsibility, account termination conditions, and age requirements.
Intellectual property rights. State that your website content, including text, images, logos, and code, is your property and protected by copyright and trademark law.
User-generated content. If users can post reviews, comments, or other content, specify that they grant you a license to use that content and that they are responsible for what they post.
Limitation of liability. Cap your liability to the maximum extent permitted by law. This is one of the most important clauses in the entire document.
Disclaimer of warranties. State that your website is provided "as is" without warranties of any kind.
Governing law and dispute resolution. Specify which state's laws apply and how disputes will be resolved. Consider requiring arbitration to avoid expensive litigation.
Modification clause. Reserve the right to update your terms and explain how users will be notified of changes.
Enforceability Tips
Courts are more likely to enforce your terms if:
- Users must actively agree (clickwrap over browsewrap)
- The terms are clearly written and not buried
- Users are notified of material changes
- The terms are not unconscionably one-sided
Privacy Policy: What You Do With Data
A privacy policy tells users what personal information you collect, how you use it, and who you share it with. Unlike terms of service, privacy policies are legally required in most situations.
When a Privacy Policy Is Required
You need a privacy policy if you:
- Collect any personal information from users (names, emails, phone numbers, IP addresses)
- Use analytics tools like Google Analytics (they collect data on your behalf)
- Run an e-commerce store
- Operate in California, the EU, or many other jurisdictions with privacy laws
- Collect information from children under 13 (COPPA applies)
If your website has a contact form, email signup, analytics, or cookies, you need a privacy policy. That covers virtually every business website.
What to Include in Your Privacy Policy
Information collected. List every type of personal data you collect. Be specific: names, email addresses, IP addresses, browsing behavior, payment information, etc.
How information is collected. Explain the methods: forms, cookies, analytics tools, third-party integrations.
How information is used. State every purpose: sending newsletters, processing orders, improving the website, targeted advertising.
Who information is shared with. Disclose all third parties who receive user data: email service providers, payment processors, analytics platforms, advertising networks.
Data retention. State how long you keep personal data and how you dispose of it.
User rights. Explain what rights users have regarding their data. This varies by jurisdiction. California residents have specific rights under the CCPA, and EU residents have rights under the GDPR.
Security measures. Describe how you protect user data. You do not need to reveal specific technical details, but acknowledge that you use reasonable security measures.
Cookie policy. Explain what cookies you use, why, and how users can manage them. Some businesses include this as a separate cookie policy.
Children's privacy. If your site is not directed at children under 13, state that explicitly. If it is, you must comply with COPPA, which requires verifiable parental consent before collecting children's data.
Contact information. Provide a way for users to contact you about privacy concerns.
Effective date and changes. Date your policy and explain how you will notify users of updates.
Key Laws You Need to Know
FTC Act Section 5
The Federal Trade Commission can take action against businesses that engage in unfair or deceptive practices. If your privacy policy says one thing and you do another, the FTC can pursue enforcement action.
COPPA
The Children's Online Privacy Protection Act applies if you collect data from children under 13. Requirements include obtaining verifiable parental consent and providing parents with access to their children's data.
CAN-SPAM Act
If you send commercial emails, you must include your physical address, provide an unsubscribe mechanism, and honor opt-out requests within 10 business days.
State Laws
California's CCPA and CPRA give consumers the right to know what data is collected, request deletion, and opt out of data sales. Virginia, Colorado, Connecticut, and other states have passed similar laws. Check the privacy laws in every state where you have customers.
Common Mistakes to Avoid
Copying another company's policy. Your privacy policy must reflect your actual practices. Copying someone else's policy almost guarantees inaccuracy.
Using legal jargon. Privacy policies should be readable. Write in plain language. The FTC has penalized companies for confusing privacy disclosures.
Failing to update. Your privacy practices change as your business grows. Review and update your policies at least annually and whenever you add new tools or data collection methods.
Burying the links. Place links to your terms of service and privacy policy in your website footer on every page. Make them easy to find.
Ignoring mobile. If you have a mobile app, it needs its own privacy policy disclosures tailored to the data the app collects.
Getting Started
- Audit every piece of data your website collects, including through third-party tools.
- Document how that data is used, stored, and shared.
- Draft your privacy policy based on your actual practices.
- Draft your terms of service with appropriate liability protections.
- Have a lawyer review both documents.
- Publish them prominently on your website.
- Set a calendar reminder to review and update annually.
These documents are not one-and-done. Treat them as living documents that evolve with your business.
State-by-State Privacy Law Requirements
Privacy legislation is expanding rapidly across the US. Here is where things stand as of early 2026:
| State | Law | Effective Date | Revenue/Data Threshold | Key Requirements |
|---|---|---|---|---|
| California | CCPA/CPRA | Jan 2020/Jan 2023 | $25M revenue or 100K consumers | Right to know, delete, opt-out of sale |
| Virginia | VCDPA | Jan 2023 | 100K consumers or 25K with 50%+ revenue from data | Right to access, correct, delete, opt-out |
| Colorado | CPA | Jul 2023 | 100K consumers or 25K with revenue from data | Universal opt-out mechanism required |
| Connecticut | CTDPA | Jul 2023 | 100K consumers or 25K with 25%+ revenue from data | Right to access, correct, delete |
| Utah | UCPA | Dec 2023 | $25M revenue and 100K consumers | Right to access, delete, opt-out |
| Texas | TDPSA | Jul 2024 | No revenue threshold, applies broadly | Right to know, correct, delete |
| Oregon | OCPA | Jul 2024 | 100K consumers or 25K with 25%+ revenue from data | Right to access, correct, delete |
| Montana | MCDPA | Oct 2024 | 50K consumers | Right to access, correct, delete |
This list continues to grow. If you serve customers in multiple states, build your privacy practices to the strictest standard you are likely to face. That typically means California's CCPA/CPRA requirements, which are the most comprehensive.
Cookie Consent Implementation Guide
If your website uses cookies (and it almost certainly does if you have Google Analytics, Facebook Pixel, or any third-party tools), you need a cookie consent mechanism:
What cookies does your site likely use?
- Analytics cookies (Google Analytics, Hotjar)
- Marketing cookies (Facebook Pixel, Google Ads)
- Functional cookies (chat widgets, video embeds)
- Essential cookies (session management, security)
Implementation options:
| Solution | Cost | Ease of Setup | Compliance Level |
|---|---|---|---|
| Cookiebot | $10-40/month | Easy (script tag) | High (GDPR + CCPA) |
| Termly | $10-40/month | Easy (widget) | High |
| OneTrust | Free-$200/month | Moderate | Highest |
| Osano | Free-$200/month | Easy | High |
| Custom implementation | $500-2,000 (developer) | Complex | Depends on quality |
Best practice configuration:
- Block non-essential cookies until the user consents
- Provide granular choices (analytics, marketing, functional)
- Include a "reject all" option as prominent as the "accept all" option
- Record consent with timestamp for compliance records
- Allow users to change their preferences at any time
Privacy Policy vs. Terms of Service: Key Differences
Many business owners confuse these two documents. They serve different purposes and have different legal requirements:
| Feature | Privacy Policy | Terms of Service |
|---|---|---|
| Purpose | Discloses how you handle personal data | Sets rules for using your website/service |
| Legally required? | Yes, in most cases | No federal requirement, but strongly recommended |
| Protects | Consumer rights to data privacy | Your business from liability |
| Must be accurate? | Yes -- FTC enforces accuracy | Yes -- courts evaluate fairness |
| Where to display | Footer link on every page | Footer link on every page |
| Update triggers | New data collection practices, new tools | New features, policy changes, legal updates |
| Enforcement risk | FTC fines, state AG actions, lawsuits | Contract disputes, user claims |
Both documents should be linked in your website footer. Both should be written in plain language. Both should be reviewed at least annually.
Disclaimer: Privacy and data protection laws change frequently. Consult with a qualified attorney to ensure your policies comply with all applicable laws in your jurisdiction.
4Sources
- 01FTC Privacy and Security — Federal Trade Commission
- 02FTC Children's Privacy (COPPA) — Federal Trade Commission
- 03SBA Online Business Guide — U.S. Small Business Administration
- 04FTC Endorsement Guides — Federal Trade Commission
Frequently Asked Questions
Does my business website need a privacy policy?
Yes. If your website has a contact form, email signup, analytics (like Google Analytics), or cookies, you need a privacy policy. That covers virtually every business website. California's CCPA, the EU's GDPR, and FTC rules all require disclosure of data collection practices. Not having one exposes you to fines and lawsuits.
How much does it cost to get a terms of service and privacy policy?
A lawyer can draft both documents for $500-2,000 depending on complexity. Online legal services like Termly or PrivacyPolicies.com offer templates for $10-50 per month. However, templates must be customized to reflect your actual data practices. The cheapest approach is to draft using a template, then pay a lawyer $300-500 for a review.
What is the difference between terms of service and a privacy policy?
Terms of service set the rules users must follow when using your website -- they limit your liability and protect your intellectual property. A privacy policy explains what personal data you collect, how you use it, and who you share it with. Both are separate documents, both are needed, and both should be linked in your website footer.
Do I need a cookie consent banner on my website?
If you serve EU visitors, yes -- GDPR requires explicit cookie consent. For US-only businesses, it depends on your state. California requires a 'Do Not Sell My Personal Information' link under CCPA. Best practice is to implement a cookie consent banner that lets users accept, reject, or customize preferences regardless of your audience location.
How often should I update my privacy policy?
Review and update at least annually and whenever you add new tools, data collection methods, or third-party integrations. If you start using a new email marketing service, CRM, or analytics tool, your privacy policy needs to reflect that. The FTC has penalized businesses for policies that do not match actual practices.