Web Legal 101: Introduction to Privacy Policy, Terms and Conditions, and Cookies
This is the first blog in our series about Legal Documents you need for your website. Here, you can an overview of the documents you should keep on your radar. You can also check out our detailed blogs about Privacy Policies, Terms and Conditions, and Cookie Policies.
Yes, the internet used to be akin to the wild west. You could publish what you wanted, say what you wanted, and do what you wanted. Then the buzz-kill law got involved.
‘The Man’ will still let you publish a small conspiracy theory website that is bat-poo crazy without any real restrictions or prohibitions. But when you have a big-boy website (one that uses ecommerce, analytics, or third-party software, or one that interacts directly with kids or with anyone outside the US), you’ve got legislation and regulation to deal with.
Because it is law, it gets deep, specific, and confusing, and throws acronyms at you like a sick kid after eating Alpha-Bits cereal.
We have to keep up with all of the legislation and regulation to be able to guide our clients, so you are going to benefit big-time. In the true spirit of mini Monster, we are writing it all down and sharing everything we know. This is an introduction to the types of legal agreements and policies that are out there. Think of it as an executive summary explaining what laws and regulations affect your company, what you need to pay attention to, and what you need to do to have a law-abiding website. If you really want a deeeeeep dive, our blog has detailed examinations of each of these policy types.
But first, the obvious:
We are not lawyers. We are not a law firm. Nothing that we say or write should ever be used or seen as a substitute for professional legal advice. At most, you should take any of our discussion of legal issues in the same way that you would take good advice from your gardener neighbor about pruning your shrubs. (Our lawyer made us say that. Not the shrubs bit, though. We added that in ourselves.)
Overview
There are three main categories of legal agreements that we are going to cover here: Privacy Policies, Terms and Conditions, and Cookies. We will explain the purpose of each, and give you all the information you need to determine whether or not you should create that policy for your website. And, we will also give you the run-down on some of the terminology used in discussion of these documents, and a quick review of the biggest need-to-knows.
1) Privacy Policies
What It Is
Privacy Policies disclose what pieces of personal information you gather from users on your website, how you collect, store, and use that data, and what rights a user has to view or change this data.
Who Needs It
If your website:
Uses ecommerce
Uses analytics tools
Incorporates third-party software, or other advertising or remarketing sites
Collects personal information from kids in the US under 13
OR
Collects personal information from anyone outside the US,
then you are legally required to post a privacy policy on your site that meets the obligations of the legislation that you fall under.
Why You Need It
That was a quick checklist of criteria that will legally require you to post a privacy policy on your site. Here are the reasons behind it all:
Ecommerce websites and sites that use analytics tools (such as Google or Squarespace analytics) are required by law to have a privacy policy, because they collect personal data from customers (email addresses, first and last names, shipping address, etc.).
If your site incorporates third-party software, such as AdSense, Google GSB, Adwords, Apple App Store, or other advertising or remarketing sites, your agreement with that company includes requirements for your Privacy Policy.
If any of your website audience is outside the US, and you collect personal data from them, then you are required to comply with any laws governing the country (or area) that your web visitors are in. Ecommerce sites that have customers outside the US fall into this category, as do other websites that are not sales sites, but do collect personal information from people outside the US, such as Facebook.
Websites that target a young audience and collect information from kids in the US under the age of 13, fall under the only online privacy laws in the US that are federal. The US has been fairly relaxed about online privacy, except when it comes to the kiddos. These regulations are strict, the fines for failure to comply are high, and they are enforced.
AKA
As there is no federal standard in the US governing online privacy for websites (other than those that target kids under 13), we are left with a patchwork of state, national, and international laws to cobble together. Currently, for an American website targeted to adults, California has enacted the most comprehensive digital privacy law in the nation. So, right now we are looking to California to provide the strictest guidelines to follow.
Below is the online privacy legislation that is commanding the conversation today.
Domestic Regulations
COPPA - Children’s Online Privacy Protection Act federal legislation enacted 1998, revised 2013
CalOPPA - The California Online Privacy Protection Act enacted 2004, revised 2014
CCPA - California Consumer Privacy Act enacted 2020
CPRA - California Privacy Rights Act takes effect 01 January 2023
VCPA - Virginia Consumer Data Protection Act takes effect 01 January 2023
CPA - Colorado Privacy Act takes effect 01 July 2023
International Online Privacy Laws
GDPR - The European General Data Protection Regulation enacted in 2018, it governs anyone in the EU.
UKGDPR - In 2021, The United Kingdom revised and added multiple privacy laws of their own to compensate for their lack of legislation after Brexit. This checklist of laws is referred to as the UKGDRP.
PIPEDA - The Personal Information Protection and Electronic Documents Act, enacted 2000, governing Canada.
Personal Data
To further muddy the waters, Privacy Policies deal with the data that a website receives from its visitors, but there are different legal terms for this information. All of these terms have different legal definitions, which means that information considered as personal data under one law may not be under a different law.
Right now, with the jumble of state, national, and international laws that govern online privacy it is tricky to determine what laws your website must adhere to. To help you make that decision, read our blog on Privacy Policies.
2) Terms and Conditions
What It Is
A Terms and Conditions agreement is a legal contract between your company and the website user, setting out the ground rules of how both parties should act and what both parties should expect from each other. This is where your customer can source all the information regarding their rights when engaging with you. And, it is where your company establishes all of its business policies, which protects you from legal disputes and liabilities.
Who Needs It / Why You Need It
Unlike a Privacy Policy, a Terms and Conditions agreement isn’t legally required in the US.
However, it is extremely important to have, as it:
Is the single largest legal protection an online business can have
Contains legally mandated information required by consumer protection regulations (especially in the case of ecommerce)
Limits or excludes your legal liability
Protects your intellectual property rights with a copyright clause
Allows you to deactivate a user account, withdraw or suspend service, or cancel a transaction
Sets governing law, which establishes the country and state law is your company governed by
Quick Takeaway: You are probably going to have a Privacy Policy because it is legally required. You need to have Terms and Conditions for your own legal protection. This is the COA of website documents.
AKA
Terms and Conditions (T&C) are agreements used to govern the relationship between a business and its consumers, and can be written to cover a broad scope of topics. Because of the nature of this document, it is frequently used as a catch-all, addressing an array of subjects that could be separated out as independent documents. The title Terms and Conditions can also be used interchangeably with many other legal agreements that serve similar or more specific and limited functions.
Terms and Conditions Can Take The Place Of:
Terms of Service (TOS or ToS) (also called Terms of Use or ToU) - This is a legal agreement between an online service provider and a person who wants to use that service.
End User License Agreement (EULA) (also called Software License Agreement (SLA), or Licensed Application End-User Agreement) - EULA focuses on a licensing relationship between an owner of a product or software and the end-user. It specifies the rights and restrictions that apply to the software, the conditions which may limit or terminate a user’s access, etc.
Acceptable Use Policy (AUP) (also called Internet and Email Policy, Internet AUP, Network AUP, or Acceptable IT Use Policy) - AUP define and restrict the acceptable behavior from users of a computer network website or service.
Although some websites prefer to publish their policies separately, Terms and Conditions agreements certainly can be used as a catch-all document, containing:
Return, Exchange, & Refund Policy
A return policy is an absolute necessity for an ecommerce website. People need to trust in your brand before they will buy from you online. Providing your audience with a clear, detailed return policy helps manage their expectations before they buy and gives them a feeling of security, which helps build that trust.
The policy describes what products or services are eligible for return, exchange, or refund, under what conditions and in what time frame you will accept returns, and the steps that the customer needs to follow to initiate a return.
Some business owners are hesitant to commit to a consistent return policy, worried that they will appear too rigid and unfriendly. In fact, the opposite is true. Rather than frightening off customers, a fair, clear, and consistent return policy can increase conversion and repeat rates.
Shipping Policy
Being able to provide your customers with a detailed shipping policy not only manages customer expectations, it also gives them important information that they may need to make the final choices on their purchase.
It should explain all of the shipping options that they have available to them, the cost of each option, how long each method will take, expected handling time, cut-off times for ordering, and any shipping restrictions (no P.O. boxes, adult signature required, can only ship to certain states, etc.). This information lets your customer make an informed decision on what shipping method to choose.
Disclaimer
Disclaimers are specific statements concerning what your website does not promise or guarantee. Most deal with liability issues, such as:
Issues arising from the use of the website
Errors or omissions on the site
Medical or legal advice
Third-party links
These disclaimers limit your liability should a visitor have any issues, problems, or incur damage of any sort related to your website.
Copyright Policy
The copyright policy makes clear that you are the owner of the content on your website (logo, writing, images, videos, anything that you have created) and as this is your property, with everything protected by international copyright laws.
Check out our detailed blog on Terms and Conditions.
3) Cookie Policy
What It Is
Websites often use cookies for everything from analytics statistics to social buttons and re-marketing services.
Because these cookies are actually small data files that are installed on your computer’s browser, they can allow your browsing to be tracked, which opens concerns about privacy violations.
Who Needs It / Why You Need It
The US hasn’t really gotten really flustered over this issue for anyone over 13 yet, but the EU certainly has. There are some pretty tight legal restrictions and requirements if your website:
Collects information from kids in the US under 13
OR
Collects information from anyone outside the US
AKA
Cookies are text files with small pieces of data that are stored on your computer’s browser and used to identify your computer in future visits. In general, only the domain (server, website) that placed a cookie can read it later. Only Amazon can read Amazon cookies, only Target can read Target cookies.
But, just like their more delicious counterparts with chocolate chip, oatmeal raisin, and sugar cookies, computer cookies come in all different types and flavors.
Here is a run-down of some of the different types:
Essential Cookies (also called Necessary Cookies, Strictly Necessary Cookies) - Cookies that are crucial to the functioning of the website, such as remembering items placed in a shopping cart or allowing you to access a secure section of a website after you have logged in.
Functionality Cookies - Enable websites to remember user site preferences, such as username, region, and language. This allows the website to provide personalized features like local news stories and weather if location is shared.
Performance Cookies - Used specifically for gathering data on how visitors use a website, which pages of a website are visited most often, or if users get error messages on web pages. These cookies don’t collect identifiable information on visitors, which means all the data collected is anonymous and only used to improve the performance of a website.
Non-essential Cookies (Non-necessary Cookies) - Cookies that are not vital for the functioning of the website, such as cookies used to analyze your behavior on a website or cookies used to display ads.
Internet Cookies (HTTP Cookies, Web Cookies, Browser Cookies) - are built specifically for Internet web browsers to track, personalize, and save information about each user’s session.
Persistent Cookies - Stores data for an extended duration, beyond a single session, for purposes such as remembering your username and password for easier login. May come with an expiration date.
Session Cookies (First Party Cookies) - Temporary cookies that are deleted when you close your browser, used for things like keeping items in your cart as you shop around on a website.
Tracking Cookies (Third-Party Cookies) - Collect data about your online behavior, used by advertisers to display ads based on your previous behavior.
Trackers
A Tracking Cookie (or a Third-Party Cookie) can be used to record your browsing behavior and interaction with the website. But, other trackers are commonly included in the discussion of cookies.
Trackers are small pieces of code that third parties (like advertisers, marketers, or researchers) pay websites to include in their web pages. The trackers will allow the third party to gather information about your visit and activities on the site, including the pages you view, items you click on, purchases you make, your physical and IP address, as well as other data about your visits. Over time, third parties can use that information to create profiles of millions of people, based upon which websites they visit, how often, at what hours, etc.
More powerful trackers can actually watch your mouse movement. If you stay on the website home page for 10 seconds, and then switch to another page that you spend 10 minutes on, this gives the trackers a glimpse into your browsing habits. Some trackers watch you over multiple sites to analyze your interests and habits. For instance, we have all had the experience of reading an article on a topic (say, bird migration), and then being overwhelmed with online ads for bird feeders.
Trackers can be referred to as a number of things, including: embedded scripts, tracking cookies, pixel tags, spy dots, automatic URLs, or auto hyperlinks. And, they can be as simple as a single, tiny, white pixel on a white background.
Check out our detailed blog on Cookie Policies.
Final Question: Can I Just Create One Humongous 400-Page Policy That Covers Everything?
Although we applaud your efficiency and desire to tidy everything up, I’m gonna have to give you a big no on that one, for a few reasons.
The Privacy Policy is a legally required document. It needs to have an easily seen and clearly marked link from the website’s homepage with the word Privacy conspicuous in the link. You can also include the Privacy Policy in your Terms and Conditions if you wish, but it must be on its own individual page with a direct link from the homepage.
If you need to have a Cookie Policy, it also must be on a page by itself. Users will have to be able to access this page by a link on your homepage, and by a link in a cookie banner that appears on your website whenever anyone visits. (You’ve probably seen quite a few of those recently!)
If you want to include every possible clause and disclaimer in your Terms and Conditions agreement (return policy, copyright, disclaimers, shipping, etc.) then feel free. The T&C is sort of the junk drawer where everything like that can be kept. An added benefit here is that your customer will have to actively agree to the T&C before purchase. If all legal is included here, then they have consented to all of it.
However, it may be helpful to your customers to have some sections, such as the Shipping Policy, also exist on their own with an easily-found link, so that they can be easily referenced.
That is the introduction to the main documents you need to ensure that your website is legally protected from liability and risk, and is compliant with all laws and regulations. Please feel free to pour yourself an adult beverage or get a pint of Ben & Jerry’s out of the freezer.
This should give you a good idea about what legal documents that you may need to include on your website, but this introduction alone isn’t enough for you to be able to either write or proof those policies. The next step is to read up on the details of the legal agreements that you now know you will need. By all means, finish your Ben & Jerry’s first.
