Every Business Website Needs These Documents
If your business has a website, you need two legal documents: terms of service and a privacy policy. These are not optional extras. They protect your business from liability, set expectations with users, and keep you compliant with federal and state privacy laws.
Skipping these documents exposes you to lawsuits, regulatory fines, and loss of customer trust. Getting them right is straightforward if you understand what they need to contain and why.
Terms of Service: Your Website's Rulebook
Terms of service (also called terms of use or terms and conditions) establish the rules users must follow when using your website. They also limit your liability and protect your intellectual property.
What to Include in Your Terms of Service
Acceptance of terms. State that by using your website, the user agrees to your terms. This can be implicit (browsewrap) or explicit (clickwrap). Clickwrap agreements, where users must check a box, are more enforceable.
Description of services. Explain what your website offers and any limitations on those services.
User responsibilities. Define acceptable use. Prohibit activities like scraping, hacking, uploading malware, or using your site for illegal purposes.
Account terms. If users create accounts, cover password responsibility, account termination conditions, and age requirements.
Intellectual property rights. State that your website content, including text, images, logos, and code, is your property and protected by copyright and trademark law.
User-generated content. If users can post reviews, comments, or other content, specify that they grant you a license to use that content and that they are responsible for what they post.
Limitation of liability. Cap your liability to the maximum extent permitted by law. This is one of the most important clauses in the entire document.
Disclaimer of warranties. State that your website is provided "as is" without warranties of any kind.
Governing law and dispute resolution. Specify which state's laws apply and how disputes will be resolved. Consider requiring arbitration to avoid expensive litigation.
Modification clause. Reserve the right to update your terms and explain how users will be notified of changes.
Enforceability Tips
Courts are more likely to enforce your terms if:
- Users must actively agree (clickwrap over browsewrap)
- The terms are clearly written and not buried
- Users are notified of material changes
- The terms are not unconscionably one-sided
Privacy Policy: What You Do With Data
A privacy policy tells users what personal information you collect, how you use it, and who you share it with. Unlike terms of service, privacy policies are legally required in most situations.
When a Privacy Policy Is Required
You need a privacy policy if you:
- Collect any personal information from users (names, emails, phone numbers, IP addresses)
- Use analytics tools like Google Analytics (they collect data on your behalf)
- Run an e-commerce store
- Operate in California, the EU, or many other jurisdictions with privacy laws
- Collect information from children under 13 (COPPA applies)
If your website has a contact form, email signup, analytics, or cookies, you need a privacy policy. That covers virtually every business website.
What to Include in Your Privacy Policy
Information collected. List every type of personal data you collect. Be specific: names, email addresses, IP addresses, browsing behavior, payment information, etc.
How information is collected. Explain the methods: forms, cookies, analytics tools, third-party integrations.
How information is used. State every purpose: sending newsletters, processing orders, improving the website, targeted advertising.
Who information is shared with. Disclose all third parties who receive user data: email service providers, payment processors, analytics platforms, advertising networks.
Data retention. State how long you keep personal data and how you dispose of it.
User rights. Explain what rights users have regarding their data. This varies by jurisdiction. California residents have specific rights under the CCPA, and EU residents have rights under the GDPR.
Security measures. Describe how you protect user data. You do not need to reveal specific technical details, but acknowledge that you use reasonable security measures.
Cookie policy. Explain what cookies you use, why, and how users can manage them. Some businesses include this as a separate cookie policy.
Children's privacy. If your site is not directed at children under 13, state that explicitly. If it is, you must comply with COPPA, which requires verifiable parental consent before collecting children's data.
Contact information. Provide a way for users to contact you about privacy concerns.
Effective date and changes. Date your policy and explain how you will notify users of updates.
Key Laws You Need to Know
FTC Act Section 5
The Federal Trade Commission can take action against businesses that engage in unfair or deceptive practices. If your privacy policy says one thing and you do another, the FTC can pursue enforcement action.
COPPA
The Children's Online Privacy Protection Act applies if you collect data from children under 13. Requirements include obtaining verifiable parental consent and providing parents with access to their children's data.
CAN-SPAM Act
If you send commercial emails, you must include your physical address, provide an unsubscribe mechanism, and honor opt-out requests within 10 business days.
State Laws
California's CCPA and CPRA give consumers the right to know what data is collected, request deletion, and opt out of data sales. Virginia, Colorado, Connecticut, and other states have passed similar laws. Check the privacy laws in every state where you have customers.
Common Mistakes to Avoid
Copying another company's policy. Your privacy policy must reflect your actual practices. Copying someone else's policy almost guarantees inaccuracy.
Using legal jargon. Privacy policies should be readable. Write in plain language. The FTC has penalized companies for confusing privacy disclosures.
Failing to update. Your privacy practices change as your business grows. Review and update your policies at least annually and whenever you add new tools or data collection methods.
Burying the links. Place links to your terms of service and privacy policy in your website footer on every page. Make them easy to find.
Ignoring mobile. If you have a mobile app, it needs its own privacy policy disclosures tailored to the data the app collects.
Getting Started
- Audit every piece of data your website collects, including through third-party tools.
- Document how that data is used, stored, and shared.
- Draft your privacy policy based on your actual practices.
- Draft your terms of service with appropriate liability protections.
- Have a lawyer review both documents.
- Publish them prominently on your website.
- Set a calendar reminder to review and update annually.
These documents are not one-and-done. Treat them as living documents that evolve with your business.
4Sources
- 01FTC Privacy and Security — Federal Trade Commission
- 02FTC Children's Privacy (COPPA) — Federal Trade Commission
- 03SBA Online Business Guide — U.S. Small Business Administration
- 04FTC Endorsement Guides — Federal Trade Commission