Terms of Use and Privacy Policy for Your Website and App

  • 9.8.2015

Terms of use and privacy policies govern the relationship between a company’s website or app and its users, and establish the guidelines for how that company must treat users’ information. Here, our emerging company lawyers explain who needs these agreements and why they matter.

Does My Company Need Terms of Use and a Privacy Policy?

The short answer is yes. Many state laws require websites and apps to have a privacy policy, and a terms of use gives you (among other things) an opportunity to limit your liability and communicate key “rules of the road” for use of your website or app. When drafted and implemented properly, terms of use and a privacy policy can protect you from legal claims that could arise from operating your website or application and/or claims that your company has misused information or misled the user about its collection or use of information.

Can I Copy the Terms of Use and Privacy Policy from Another Website or App?

Tempting as it might be to take a “one size fits all” approach and copy-paste these documents from another website or app, exercise caution. No two businesses are completely alike, and these documents need to accurately and completely reflect how your business works, how your website or app operates, and how you will collect, use and disclose information. In addition, even some very large, well-known companies have made mistakes such as deploying terms of use containing provisions which may render parts of the document unenforceable and privacy policies that do not contain disclosures required by recent changes in the law. 

So I Have to Write My Own. What Information Should I Include?

The content can vary widely, depending on how you and the public use your website.

Terms of Use

If your company simply provides information—not products or services—through your website or app, the terms of use can be relatively simple. In addition to the boilerplate legal language you’d expect to find in any legal agreement, such as a statement on limitation of liability and governing law, the terms of use should include:

  • the permitted users and uses of the website or app;
  • the rights of the company and the user regarding the various types of information exchanged through the website or app;
  • the activities that are prohibited on the website or app;
  • any applicable restrictions on “scraping” or otherwise accessing content on the website or app; and
  • a warning to users that any sites linked to are not under the company’s control, and are governed by separate terms of use.

Additionally, the terms of use can address whether framing or incorporation of the company’s website onto third-party sites is permitted.

If the website or app contains content contributed by users or other third parties, the terms of use should include content that complies with available “” under US federal law, particularly the Digital Millennium Copyright Act, which establishes specific processes (referred to as a “”) that enable service providers to reduce exposure to liability for copyright infringement arising from content provided by users.

If the terms of use is for an app or a website through which the company provides products and services, such as a Software as a Service, the terms of use should be far more customized. They should addresses the issues raised by the applicable products and services, and the company’s business model, in detail. In this case, the terms of use may be the primary contract between the company and its customers.

Privacy Policy

The privacy policy should address not only the company’s current practices in collection and use of personal information, but also the activities that the company intends to engage in over time—it is far simpler to start off with an accurate privacy policy than to amend it later.

A privacy policy should:

  • explain the types of information the company collects through the website or the company’s services, and how the company collects that information;
  • make clear that information submitted by users, which is viewable by third parties in the normal operation of the website, will not be protected;
  • explain how the company will use the information submitted by, or otherwise collected from, users;
  • explain to whom the company may disclose that information and for what purpose; and
  • provide contact information to any users with questions about the privacy policy.

In 2013, California issued mobile privacy recommendations for app developers, app platform providers, advertising networks and others. Here are some do’s and don’ts from the California report:


  • make the privacy policy accessible from within the app and in the app store, so users can read it before downloading the app;
  • use shorter privacy disclosures and other measures to draw attention to data practices that may be unexpected;
  • enable meaningful choices about the collection and use of data; and
  • augment disclosures when collecting sensitive data, text messages, call logs, or contacts, or when using sensitive device features such as cameras, microphones or location tracking.


  • collect personally identifiable data not necessary for the app’s functions;
  • use out-of-app ads delivered by modifying browser settings or placing icons on the mobile desktop; and
  • use static, device-specific identifiers for advertising.

Privacy laws differ significantly from industry to industry and country to country. The European Union, for example, has adopted a very restrictive data protection directive that limits how sites may collect and use personal data, and that requires user consent before a website can use cookies. So if your business or website operates in different countries, you will need to ensure that your privacy policy accounts for these different laws.

In addition, if your website or app is directed at children under 13, or if you know that children under 13 are using the website or app, you will need to implement a privacy policy and internal practices and procedures that comply with the Children’s Online Privacy Protection Act of 1998.

How Should I Present My Terms of Use and Privacy Policy?

How you present these documents can impact how enforceable they are. Many companies simply link to them at the bottom of a webpage (often referred to as a “browse-wrap” agreement), but this method may make them less enforceable in some contexts and jurisdictions.

When the terms of use establish critical protections for the company, particularly when the company provides products or services or receives user contributions through the site or app, you should make the terms of use a “click-wrap” agreement using a process that ensures clear user awareness and acceptance of the Terms of Use.

What If Something Changes in the Future?

Over time, a company may need to adapt its terms of use and/or privacy policy to reflect changes to its products and services, changes to the scope of information collection and use, or other changes. The privacy policy should mention when and where changes to it will be posted. Check with counsel to find out if particular changes to your privacy policy require more significant notification and/or consent steps. A terms of use update will require discussion with counsel regarding whether you need or want the terms of use to apply to existing users, and if so, what process should be implemented to achieve that in an enforceable way.

For more on the importance of terms of use and a privacy policy, check out this video.