Last updated: Jul 6, 2021

Legal Policies Your Website Should Have

It’s hard to escape the unending sea of consent check boxes that bombard you when browsing online. Legal policies are everywhere on websites today. Whether it’s long scrolls through terms of service, or pop-ups asking to collect your personal data. We’ve all hastily scrolled and clicked, but how often do you really pay attention to legal policies on the sites you visit? Probably not unless there was an issue; which is one major reason why they are beneficial for a business to have. So what legal policies should your website have in place?

For most businesses, there’s 3 legal policies that your website should have – a privacy policy, a terms of service agreement and a consent to gather information prompt. Let’s dig into each one and why they’re important for your business.

Why a Privacy Policy is a Must Have

A legal document that states what information is being collected from your users and how you will use that information is called a privacy policy. This is especially important for e-commerce sites that handle extra sensitive payment information like credit cards, but it also applies to sites that have forms or collect analytics on its visitors (Better Business Bureau). Personal information includes (but isn’t limited to): names, addresses, phone numbers, email addresses, credit card numbers, and IP addresses.

It’s the Law in Much of the World

The main reason your site should have a privacy policy is that it’s the law in many countries and US states. Several countries including the U.S., Australia, Canada, and the European Union have laws that are designed to protect users personal information.

StateRight to DeleteRight to AccessLegislation Status
CaliforniaIn effect Jan 2020
New YorkOn hold
MarylandPending approval
MassachusettsPending approval
HawaiiPending approval
North DakotaPending approval
California is the only US State with privacy laws currently in effect, though there are other states with legislation in the works.

In the United States, California passed the California Online Privacy Protection Act (CalOPPA) in 2003. This states that websites that collect personal information from Californians must have an obviously placed privacy policy. Those policies must identify how personal information is collected, used, and shared. California has since added the Consumer Privacy Act of 2020 to supplement the CalOPPA. You can read more about how to be compliant with both in this Website Policies blog article. Other states have their own rules about privacy, so it’s important to know what they are if you have customers in those areas.

The European Union enacted a Cookies Directive in 2011, and the GDPR (General Data Protection Regulation) in 2016, to give citizens more control over what happens to their data. So if you’re collecting information from any citizen of the EU, you must have a clear privacy policy and adhere to a specific set of rules.

Canada has PIPEDA or the Personal Information Protection and Electronic Documents Act and Australia has legislation called the 13 Privacy Principles. Most countries have their own laws about privacy policies, you can read more about each one that may be relevant to your business in this article from Website Policies.


The penalty for not having a privacy policy depends on the country that it comes from. For instance, here in the U.S., failure to comply with CalOPPA can result in a penalty of up to $2,500 per violation. Doesn’t sound too horrible? Keep in mind that “per violation” means every single time that someone in that state visited your site while you are deemed non-compliant. That can certainly add up quickly if 10 people from California have accessed your site in the same week.

Failure to comply with the GDPR can have fines of up to $11.8 million, or 2% of a company’s global annual revenue – whichever is higher. Other countries have different rules and penalties, but they all come with a hefty fine. Imagine now that someone from each of these places visits your site at the same time if you aren’t compliant with any of their rules – it could be a very expensive visit. It’s probably best to just skip that situation all together and have a policy that covers your bases.

Trust and Credibility

According to a 2016 study done by Pew Research, most Americans have experienced some form of data breach and do not trust institutions to keep their data safe. Having a transparent, well-written and easily accessible privacy policy can help to build trust with your visitors. It’s an easy way to go from ‘a random website’ to a site your clients have confidence interacting with.

Many Third-Party Services Require a Privacy Policy

Many third-party service providers require that a site have a privacy policy to comply with their terms of service. Google AdSense and Analytics are some examples that may block you from using their services if you don’t have a privacy policy in place.

How to Get Started With Your Privacy Policy

So where do you begin if your website needs a privacy policy? Fortunately, there are plenty of resources available online. Compliance experts, TermsFeed offer a tool for generating customized policies (for a small fee), plus free templates and tips you can use to craft your own. Check out their Privacy Policies for Small Business guide for a good overview of what to include. The Better Business Bureau also provides useful advice and a good template that focuses on adhering to the BBB standards.

WordPress Privacy settings screenshot
WordPress users can take advantage of the built-in Privacy Policy tool to get started.

If your site is built using WordPress, then you’re in luck. There’s a good Privacy Policy tool built right-in. You can access it from the WordPress dashboard. Simply select “Settings,” and “Privacy” from the admin toolbar, and you will be taken to a page to get started. Customizing it will take some additional work, but its a good place to start.

Terms of Service

Terms of Service (aka Terms of Use or Terms and Conditions) is an agreement that a user must abide to use your website or service. These are legal policies that your website should have, even though there isn’t a legal requirement for one. It’s purpose is to explain how you conduct business and describe how any issues will be handled.

Google terms of service
Google separates their Terms of Service into 4 main categories

Prevent Abuse and Content Theft

Terms of service sets the expectations of users who are considering using your product or service. That’s where you’ll address issues such as language use, spamming, defamation etc. It’s also the place to set the punishment (or a termination clause), for those who break the agreement. This helps to establish clear and legally-binding boundaries to protect both your business and your clients.

Terms and conditions also tend to include an Intellectual Property Clause. IPCs state that content created by the business is owned solely by the business, and is protected by international copyright laws. This includes anything that you’ve created on your site, whether it’s the logo, images, diagrams, you name it. This helps to prevent anyone from trying to steal your content and use it as their own without your permission.

Limiting Liability and Setting the Governing Law

Include a disclaimer in your terms of service to cover any potential errors on the businesses end. Terms of service protect you from being held responsible for issues with product availability or others using your content inappropriately. As well as being clear that you can reserve the right to cancel orders or discontinue services for whatever reason you see fit.

The Governing Law refers to the country you are doing business from. Many countries have different rules and regulations. Rules that users that are expected to follow on your site and what rules they can expect you to operate under are established in Governing Law.

If you’re curious about what else to include in your own Terms of Service, try reading this helpful article from Legal Nature.

Consent for Information Gathering

You may have seen that little pop-up when first visiting a site that asks about cookies and other onsite-tracking. Cookies are little snip-its of code that remember things you’ve clicked on, how long you stayed on a site or other places you’ve visited. While these trackers are useful for advertising they do contain personal information about your browsing habits. Some countries now have laws that require user consent before these tracking tools to be used. The rules can be strict when it comes to the information being collected by your site and how it’s being used.

An example of a website cookie consent form
Consent forms clearly indicate what’s being tracked, how that information is being used, and gives users the ability to opt-out.

Under the previously mentioned CCPA, California has a mandate that privacy policies contain a “DNT” or do not track clause. That means you must indicate if your site will follow suit with do not track requests. Nevada and Maine have similar legislation in the works and will likely follow suit. Federally, the the Gramm-Leach-Bliley Act also addresses the collection of personal information by financial institutions, including cookies (Bloomberg Law, 2019).

The EU’s ePrivacy Directive, requires that websites ask users to accept cookies, and other tracking files before installing them. The United States’ CCPA allows cookies, but requires you to provide an opt-out option for selling user data to third parties. It also states that if a third party has cookies on your website, that you must employ methods to protect user’s information. As a site owner, you’re responsible for keeping users information safe, even through third party services. 

Wondering if your site is compliant? Cookiebot offers a free test to see what cookies your site is using.

Here are a few basic rules to make sure you’re in compliance:

  • Identify the user information being collected and explain how it’s being used
  • When you make site additions, check to see how they’ll effect your policy
  • Make sure your policy is specific and updated
  • Users should give consent without the threat of negative consequences if they opt-out
  • Have a required action to knowingly apply consent (must click to check a box or the like)
  • Inform people how they can easily withdraw their consent or opt-out
  • Make sure that information is secure, especially if you utilize third-party services

The Legal Policies that Your Website Should Have

Though there is no US federal data privacy law (yet), your business may still be effected laws in California and the EU. With that in mind, we recommend these three legal policies for your site:

  • A transparent privacy policy
  • Terms of service agreement
  • Clear data collection consent and refusal

It helps to create clear expectations for yourself and your consumers. As well as limiting your risk of liability, and legal issues in the future. Being as clear and honest as possible will help to foster trust with your users. And it can help to build credibility for your business as a whole.


Bright Space Creative is not a legal firm. We do not claim to have full knowledge of every law or statute, nor do we advise on them. This article is based on popular opinion and potential outcomes.