3 Legal Documents Your Website Cannot Do Without

In 2011, Pony Stars, an online virtual world, was fined $3 million for violating the COPPA Act. Pony Star’s crime? The platform, with over 821,000 registrants, was found guilty of collecting and sharing personal information of their largely underage user base without proper consent.

Pony Star’s case is just one of many incidents where businesses run into long-draw litigations and expensive penalties due to poorly drafted paperwork covering the —

  1. Terms of Service
  2. Privacy Policy Statement
  3. Cookie Consent

Let’s explore how these critical, but often overlooked paperwork can be better optimized for businesses using websites, applications, and other online platforms.

1. Terms of Service (ToS)

The Terms of Service is the first and foremost contract a user will encounter on a digital platform. Also known as Terms and Conditions (T&C) or Terms of Use (ToU), this paper is drafted placing priority on the best interests of the business while informing the user of the following:

  1. What they can expect from the business
  2. Instructions on how to use the service or product
  3. The user’s rights and responsibilities
  4. Acceptable behavior and conditions for termination
  5. Jurisdiction and arbitration

Here’s an example of how it works.

King.com Limited, the publisher of the popular puzzle game, Candy Crush, in its ToS contract lists the responsibilities of the users and what constitutes unacceptable behavior, including harassment, impersonation, etc.

The game publisher also limits it’s liabilities by waiving their responsibilities in scenarios such as data loss, service interruption, etc.

King.com Limited also informs the user of the jurisdiction where the breach in the ToS can be deliberated upon.

The ToS contract becomes enforceable once the user accepts and agrees to the different terms.

Must-have sections in a Terms of Service contract

Terms of Service requirements vary from business to business and region to region but there are some common sections shared across this type of contract.

General Guidelines and Termination
This section covers allowable and prohibitive practices that the user must adhere to. The business also reserves the right to terminate services in case of any violations.

For example, King.com Limited makes it mandatory for the user to access the platform legally and provide correct identifying information before using the platform.

Product and Services
A detailed description of the products and services must be provided to the user to represent them correctly and avoid any misunderstanding.

To solve this, King.com Limited has mapped out and elaborated on its different services under multiple subsections in the ToS.

Payments and Refunds
The user should be informed of the particulars for which they are being billed, the accepted modes of payments, and also if any third-party payments processors are involved. Details of refund procedures should also be elaborated upon.

King.com Limited offers users with one-time microtransactions and subscription plans. Here, they have mentioned how the payments for their subscriptions function.

Disclaimers and Limitation of Liabilities
The business should make it clear to the user that the product or service is available on an “as is” basis and that the user is accessing the platform at their own risk. This section should also cover scenarios and waive responsibility, thereby limiting the liability of the business.

Copyright and Intellectual Property
A section covering ownership of intellectual property and warning the user against use of services, trademarks, logos, etc., will serve as a good deterrent against infringement and plagiarism.

King.com Limited does this by explicitly stating that the user has no ownership over any part of their service.

Governing Jurisdiction
It is also important to elect a governing jurisdiction to allow users to seek resolution through courts. The business should also mention if it prefers to settle disputes through arbitration, enabling the user to make an informed decision when purchasing the product or service.

In its ToS, King.com Limited states that Los Angeles County, California shall serve as the governing jurisdiction for US residents.

Data Usage and Privacy
The user must be informed of how their data is being collected, stored, and utilized. Usually, this section is linked to a broader independent Privacy Policy page.

King.com Limited does this by referring the user to their Privacy Policy statement.

Contact Information and Dispute Resolution
Users should be able to contact the business owner should there be any queries or concerns. Therefore, it is important to include contact information such as email, phone number, or business address.

King.com Limited instructs users to contact them using a specified email ID.

Best Practices for ToS Presentation and Publishing

Terms of Service contracts are highly criticized for not only their vaguely worded information, but also their user-unfriendly format. These characteristics tend to misguide readers and do not inform them about the demerits of clicking the “I Agree” button.

Here’s how you can avoid falling into the trap of creating an uninviting ToS:

1. Simplicity
An average ToS contract presents information at a postgraduate reading level. To add to this, the language used is highly jargonized and sentence structures are complex.

In comparison, the average internet user prefers written content that is at an 8th grade level. By using simple language and coherent sentences, you can make the contract approachable and easy to understand. This while bringing down the biggest barrier to ToS contracts.

2. Consistency
Imagine reading a novel, where the author introduces a new character in every new chapter without providing prior context and refers the reader to other books to gain familiarity. Wouldn’t that be irritating?

ToS contracts function in a similar manner. Sections are interlinked and distributed, forcing the reader to reference multiple documents at once, making the activity tedious and confusing.

Instead, focus on making the contract as convenient as possible to the reader. This means avoiding unnecessary hyperlinking and referencing, summarizing sections, and offering a clear table of contents.

3. Modern
Unsavory fonts, cramped spacing, and endless pages summarize the state of affairs of contemporary ToS contracts. These factors are the outdated remnants of traditional contracting that is so out of place in an increasingly digital world.

Today’s internet users prefer to consume their content quickly and easily. Explore out-of-the-box and engaging ways to present the ToS contract. This can be in the form of infographics, interactive media, etc.

4. Transparency
Change is constant. This adage also applies to ToS as organizations, industries, and regulations are always evolving and shifts in stances will be reflected in the contract as well. However, whenever new edits are made to the contract, the users are not notified and they might give consent to things they did not sign up for initially.

By maintaining an audit trail that chronicles the different changes as well as setting up a system to alert the user of revisions to the terms of service can go a long way in building trust and credibility among users.

5. Accessibility
Usually, the only time users view the ToS contract is when they sign up or purchase the service or product. However, there may be instances when the user wants to reference the contract but is unable to do so.

To prevent this, it is a good idea to keep the terms of service accessible. This means placing the contract behind clearly labelled tabs on the website as well as in the website’s footer. Accompanying the contract with FAQs of common queries that readers encounter can be an added benefit. It is also a great idea to offer an audio version of the contract as it allows users with disabilities to access and understand the contract management as well.

The next issue a business has to deal with is information. In an age of Big Data and hyper-personalized ads, user information plays a key role in business strategy and growth. However, collecting data is tricky and with changing regulations, taking the informed consent of the user gains paramount importance. To solve this dilemma, a privacy policy is required.

2. Privacy Policy

A privacy policy is a statement that informs the user of the business’ data collection and usage practices. This document is legally required, where the business must accurately depict how the personal information of the users will be utilized and what are the risks associated with it.

Laws and Compliance

Privacy Policies are also required to comply with privacy disclosure laws based on region, industry, and target audience. Some common legislations include:

1. EU GDPR (General Data Protection Regulation)
The EU GDPR is a mandatory law dictating how businesses can collect, structure, organize, utilize, share, disclose, and destroy the consumer’s personal data.

The following are the provisions mandated under the GDPR:

  1. Uniform throughout all EU member states
  2. Processing personal data must be in compliance with integrity-friendly principles
  3. Personal data must be utilized legally
  4. Personal data use must respect the individual’s rights
  5. Breaches to personal data must be reported within 72 hours
  6. Businesses are responsible for their third-party data access
  7. In case of malpractice, the penalty levied shall be 4% of global sales or € 20 million, whichever is higher.

2. California Online Privacy Protection Act (CalOPPA)
The California Online Privacy Protection Act (CalOPPA) went into effect in 2004 and was subsequently amended in 2013 to cover privacy disclosures related to tracking online movement. The law is also binding to businesses that are not located in California, but still collects personal information of residents from that state.

The CalOPPA Act states that the business has to:

  1. Publish a public Privacy Policy on the business’s website or mobile app. The document should be highlighted and easy to access.
  2. The business should inform the user of the types of personal information being collected.
  3. The user should know with whom their information is being shared with.
  4. Users should be able to easily access, review, and edit their personal information.
  5. Users should be notified whenever there have been changes made to the Privacy Policy. The business should also mention the systems in place that will be used to communicate revisions.
  6. The effective date of the Privacy Policy must be displayed clearly.
  7. The business should provide guidelines on how users can block tracking technology and also elaborate on how the business responds to anti-tracking signals used by web browsers.

3. Children’s Online Privacy Protection Act (COPPA)
For businesses providing services to children under the age of 13, the Privacy Policy should seek compliance with the Children’s Online Privacy Protection Act (COPPA). The act lists the provisions for collecting and managing personal information of minors as well as guidelines to the type of content made accessible to them.

The COPPA Act stipulates that a business should:

  1. Publish an easy-to-read Privacy Policy that mentions all privacy practices undertaken with respect to protecting children.
  2. Publish a notice for parents.
  3. Provide the parents a choice to consent to the collection of their children’s personal information.
  4. Never share children’s personal information with third parties, unless necessary for business purposes. If sharing, then it should be clearly mentioned to the parents.
  5. Allow parents to easily access, review, edit, or delete their child’s personal information.
  6. Enable parents to restrict access and collection of their child’s personal information.
  7. Provide information on how the children’s personal information is being protected.
  8. Store the personal information of children for only as long as it is necessary and delete it thereafter.

Best Practices for Disclosures

The privacy policy should also offer the user transparency with regards to data collection, usage, sharing, and security of personal data. This can be broken down into four sub-categories:

A. Notice
The privacy policy should declare the following information to the user:

- The identity of the business owner or entity collecting the information.
- The types of data being collected.
-Information on how the data is being collected and how the user can limit the collection and usage of their data.
- The purpose for collecting the data and how the business plans on using it.
- Details of third-parties with whom the data will be shared with.
- Other circumstances under which the user data will be shared.

Did You Know?

Businesses usually categorize user data into four main buckets, namely:

1. Personal Data: This includes any data that is used to identify the consumer personally, like name, gender, age, government IDs, etc., as well as non-personal identity markers, like, IP address, device, web browser, and more.

2. Engagement Data: This category tracks the interaction at different touchpoints the consumer has with the business. It includes web pages, mobile applications, social media handles, email newsletters, paid ads, etc.

3. Behavioral Data: This type of data gathers insights on the consumer’s experience with the product or service. This includes transaction details, purchase history, product usage, and other qualitative data.

4. Attitudinal Data: This data category helps uncover how consumers perceive the business entity. It covers areas such as consumer feedback and reviews, product opinion and interest, etc.

B. Consent
The business should allow the user to choose if the user would like their data being collected, used, and shared.

  1. Information on how the consent is taken to collect the user’s personal data.
  2. Details of compliance with different regulations, including GDPR, COPPA, etc.
  3. The user should be able to opt-in and opt-out of the privacy policy without any restrictions.
  4. The business should provide information on how the user can communicate their opt-in and opt-out decisions.
  5. The user should have the right to reclaim and repurpose their personal data. The business should honor these requests within a reasonable period of time.

C. Sharing and Access
The business should give clarity on user data sharing and how the user can access their data.

  1. Information of all third-parties having access to the user data, this can range from plugins, apps, etc.
  2. Details on how the user data is being shared or sold, this includes B2B channels and marketplaces.
  3. Details of channels through which a user can access, modify, or delete their personal data.

D. Security
The business should provide information on the steps taken to protect the user data.

  1. Details on how the user data is being stored.
  2. Details on how long the user data will be stored on the business’ database.
  3. Information on the security measures taken to safeguard user data.
  4. Information of the different threats and consequences to collecting and storing user data.

3. Cookie Consent

Websites collect and store small pockets of information known as cookies locally on the user’s browsers. While these cookies help improve the website’s load time, it also plays a huge role in personalizing user experience by targeting related content and advertisements.

Therefore, cookie consent is important as a business should take the permission of the user before deploying cookies and trackers to collect personal data. This practice is aimed at protecting the privacy of users when browsing through websites.

Types of Cookies

In all, a website collects six different types of cookies, they are:

- 1st Party Cookies - It is created by the website owner and it collects behavioral data in order to optimize and personalize user experience.
- 3rd Party Cookies - It is created by external domains and collects information primarily for the use of tracking and advertising.
- 2nd Party Cookies - This type refers to cookie data shared between businesses using data partnerships.
- Session Cookies - These are temporary cookies that get deleted once the user closes their browser.
- Permanent Cookies - This cookie type is stored on the user’s device and is not deleted.
- Non-Browser Cookies - These cookies are not stored on the user’s browsers but on external applications.

Seeking Consent

Regulations like the GDPR mandate that websites should prominently feature a banner that informs the user of cookie usage and must also take their active consent.

Active consent does not refer to simply displaying cookie banners and popups or if the user continues scrolling through the website after ignoring the cookie notices.

Instead, businesses should follow strict protocol in order to ensure proper consent is taken from the users.

Non-ticked checkboxes
The form collecting the consent should not feature pre-ticked checkboxes when first presented to the user.

No passive consent banners
The website should not rely on the user finding the cookie policy, but instead display the consent form actively.

Display Accept, Reject, and Withdraw buttons
The user should be given the option to accept, reject and even withdraw their consent using the same cookie form.

Cookie Consent pop-up form used by Moove Agency

No content blocking
In case the user does not consent to the use of cookies, the business cannot prevent the user from engaging with the website.

No clubbing of different cookie consents
The website should clearly mention the different cookie types being used instead of grouping consent under a single header.

Moove Agency also informs users of data tracker usage and allows them to enable or disable them.

Simple language
The cookie consent form should use simple, non-jargon language that is easy to read and understand.

No deceptive practices
The cookie consent form design should be neutral, so as to not confuse the reader by using differently colored buttons, etc.