Everything is set up: your website is done, your app finished. You’ve added Google Analytics, submitted to the App Store. And you can envision your users and customers coming in droves. As much fun as the product part can be, there are legal requirements you need to take care of before launching. These are some documentation requirements and information that every website/app owner must know about:

  • Providing a privacy/cookie policy
  • Providing a terms & conditions document for your business
The following will explain in plain language and by following along an exemplary story, how and why you should think about the privacy policy and terms documents. That’s why the following can not be considered legal advice, nor initiate any attorney-client relationship. By reading, however, you will learn the basics from the experts at iubenda who deal with privacy and terms documents daily.

1. Provide a privacy policy for your website and app

You have made an e-commerce website and app where people can buy shoes. You vaguely remember that you need a privacy policy, but do you really need one?
 
Turns out there are many reasons why you need a privacy policy:
 
Privacy policy regulations in Europe
 
Europe has a strict privacy regulation framework, mainly set down in the personal data directive (95/46/EC) and the e-Privacy Directive (2002/58/EC). Since both acts are directives, all member states of the European Union are bound to reach their goals and ensure a common fundamental degree of data protection. However, they are free to adopt the implementation measures they prefer for their nation, so that there are differences between countries: the devil lies in the detail.
 
Starting from May, 2018 personal data protection will be fully harmonised throughout Europe, since the regulation 2016/679/EU will entry into force, providing a directly binding privacy regulation that does not allow Member States to derogate.
 
EU-US data transfer
 
The hottest issue at the moment concerns the transfer of personal data from Europe to the U.S., since the U.S. do not have an appropriate level of protection for private data in a European sense. Therefore, European users protected by European data protection laws, could be exposed to less strict regulation whenever their data crosses the Atlantic - which happens almost inevitably, if you just consider Google, Facebook, Amazon etc. etc. are all based overseas.
 
To solve the problem, the European Commission reached an agreement with the U.S. Government called “Privacy Shield”, that essentially provides a set of data protection principles that U.S. regulations, authorities and companies have to abide by in order to be admitted to the EU-US data transfer. Accordingly, the European Commission has recently issued an adequacy decision stating that the U.S. are considered a country providing a data protection level comparable to those in Europe.
 
What about the UK and European laws?
 
Another hot topic for Britain for - obvious reasons - is the looming Brexit process. Does it mean you can stop complying with European “digital” laws? No it doesn’t for two reasons:
 
Britain’s exit from the UK is likely to take some time so European laws currently still apply to when you sell to EU residents, sign them up to your services, or collecting personal data for professional purposes.  Secondly, in a scenario where the UK were to have completely “exited” the European data protection framework, you would still fall under it in cases where you actively target European users.
 
Details about processing in national legislations, like the UK
 
The European guidelines from the Directives have been implemented into the Data Protection Act 1998 (also called ‘Act’). The place to get your information regarding these matters is through the Information Commissioner’s Office, the ICO. You’ll find a lot of helpful guidance if you look for it. One such little helper is the guide for small business. The ICO is also the entity that can impose fines of up to GBP 500,000 for serious breaches of the requirements.
 
As a general principle, personal data can be collected and processed when conditions like, for instance, the following are met: the user/customer consents or when you need to process the data to enter into or carry out a contract to which the user/customer is a party. Whichever of the conditions is relied upon, there is one more step needed for this to be legal. You must provide the user with fair processing information...
 
This includes the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair. This is what you should cover with your site’s well-informed and clear privacy policy.

How to write a privacy policy

A privacy policy should be precise, exhaustive and, most of all, not written in legalese.
 
The official guidance in the UK by the ICO also outlines this point saying “Privacy notices should be clear and genuinely informative. They must be drafted so that the people they're aimed at understand them”.
 
The exact contents of a privacy policy depend on the kind of personal data collected and processed and on the ways they're being processed: who is collecting them? are they being transferred to third parties? are they being stored and, if yes, for how long?
 
Again, the ICO outlines the privacy policy requirements like this:
 
As a minimum, privacy notices should tell people who you are, what you are going to do with their information and who it will be shared with. However, they can also tell people more than this. They can, for example, provide information about people's rights of access to their data or your arrangements for keeping their data secure. Whatever you include in your privacy notice, its primary purpose is to make sure that information is collected and used in a transparent way.
 
These are somecommon elements that a privacy policy should have:
 
  • Who is the site/app owner?
  • What data is being collected? How is that data being collected?
  • For which purposes is the data collected? Analytics? Email Marketing?
  • What third parties will have access to the information? Will any third party collect data through widgets (e.g. social buttons) and integrations (e.g. Facebook connect)?
  • What rights do users have? Can they request to see the data you have on them, can they request to rectify, erase or block their data (under European regulations most of this is mandatory)?
  • Description of process for notifying users and visitors of material changes to the privacy policy
  • Effective date of the privacy policy
 

Publishing your privacy policy

As previously mentioned, privacy policies should be drafted in plain and uncomplicated language. The privacy policy should be translated into the same language that your site/app is translated into; you want the users who understand your site to be able to also understand the privacy disclosures. However, this does not mean that if you run a website in England everything must be in English: it's totally fine to have your website in, for instance, French. What you cannot do, is to have a website in French but a privacy policy just in English: in that case Users would be mislead and may not be able to understand the privacy policy. This and more can also be found in yet another guide by the ICO, the Personal information online code of practice.
 
You should also:
 
  • Publish a clear and prominent link or button labeled "privacy policy", “privacy notice” or similar on the home page, which directly leads to the privacy policy.
  • Make it accessible from everywhere on the site (in the footer is a natural and widely used choice) throughout navigation.
  • Display a clear and prominent link to the privacy policy at the location where personal information is collected & add a statement like the following: "Notice: We collect personal information on this site. To learn more about how we use your information, click here."
  • If you’re publishing a mobile app, you would usually link the privacy policy on the same level as other menu items like “Settings”, “About us”, “Privacy Policy”. Additionally, the privacy policy should also be accessible before the actual download on the app store page.
 
Read a full article on posting of a privacy policy.

iubenda can help with this process by providing a generator that assists with the creation and maintenance of a privacy policy.
 

2. Cookies

The use of cookies involves privacy issues. When you place cookies on users' terminal devices, you're able to tell what websites users are navigating, what preferences they have, at which times of the day they tend to navigate and more. Even if it's technically not easy to make out who's the person behind a specific online behavior, the relevant fact is that it's possible.
 
According to European legislation, you’re required to inform users about the fact that you are going to place cookies before doing so. Users must have the possibility to deny their consent by leaving the website or to accept cookies by scrolling down (e.g. this is acceptance in Italy) or clicking on “OK”. This requirement is usually implemented through a cookie-banner that's appearing on top of the website or app.
 
Since this is technically challenging, iubenda also offers a solution to block and release cookies, display a banner and collect user consent. Europe however, is not very unified in the way these cookie requirements have been implemented. We find everything from “not implemented at all” in Germany, to “quite stringent” rules in Italy or Spain.
 
In the UK the use and storage of cookies and similar technologies requires clear and comprehensive information, and consent of the website user. The ICO’s position on the matter is the following: consent can be implied where a user proceeds to use a site after being provided with clear notice - for instance by way of a the famous banner or a pop-up - outlining that use of the site will involve installation of a cookie.
 
Consent is not required for cookies that are:
 
  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or
  • strictly necessary for the provision of a service requested by the user.
In general, the enforcement can be regarded as being a lot more flexible than in many continental European countries.

3. Provide a terms & conditions document for your website/app

Terms & conditions, much more than the privacy policy, are highly dependent on your activity and the laws that apply to your particular business. Nonetheless, there are some common rules of thumb that we're outlining here below for you.
 
Sites or apps often overlook the importance of the terms & conditions (T&C). As a legally binding agreement, the terms & conditions document is like any other contract: among other purposes, it determines the rights and obligations of each party and the allocation and disclaimer of risk.
 
In principle, you're free to run your business without any T&C, but the consequence will be that to all contracts and legal relationships you establish with your customers, statutory law will be applicable. Statutory law, and in particular consumer law, strongly protects consumers: having T&Cs allows you to derogate - within the limits of what is legally possible - in your favour.
 
Example: If you want your customers to bear the cost of return shippings whenever they decide to withdraw from contracts, you have to inform them beforehand. This usually happens within the T&C applicable to online purchases. If you fail to inform them, you're obliged to bear the costs yourself.
 
Mandatory and non-mandatory information
While you're not obliged to adopt T&Cs, European regulations require you to provide a whole set of mandatory information. Not having such information on your online-shop or app may result in sanctions, actions brought by consumers' associations or competitors, unfavourable treatment of your contractual position like mentioned in the example before.
 
Some legislation information
Informational duties are spread in various pieces of legislation, such as the Electronic Commerce (EC Directive) Regulations 2002, the Consumer Contracts Regulations (see more here and here) and some European regulations, like the quite recent 2013/524/UE, introducing the Online Dispute Resolution platform for consumers.
 
Most mandatory information must be provided before the user is bound to a contractual agreement. There are, however, also informational duties after the purchase has been completed (e.g. the obligation to confirm to the user without undue delay that his order has been correctly placed and received).
 
How to write the terms & conditions document
It is not possible to provide a complete overview of all information that has to be provided, since it partly depends very much on the kind of business you're running.
However, there are some common elements that T&Cs should always contain:
  • Identification of the business (name, address), give your VAT number (if your business is registered for VAT);
  • Description of the service that your site/app provides: be precise! You don't want customers to claim they were expecting a totally different service!
  • When and at which cost is the stuff going to be delivered? Which territories are you serving?
  • How can customers pay? Are there any handling fees? You have to provide at least one common and free-of-charge means of payment.
  • In which language is the contract being closed? Recently Whatsapp got into trouble in Germany because in spite of providing all its service in German, the T&Cs were only available in English. So: inform your customers beforehand in which language the service and the contract are available.
  • Is an after-sales service available?
  • Inform about available (legal) warranties.
  • Withdrawal right: under EU and therefore UK law, consumers have a statutory right to withdraw from contracts closed online within 14 days without stating any reason. This means that, as long as they respect the term, your customers are free to send back stuff just because they don't like it or found it cheaper somewhere else.
  • On top of that, you have to inform them precisely about the withdrawal right they enjoy, about the ways to exert it, about whether they have to bear return costs or not. You're not allowed to retain part of the price payed in case of withdrawal: the customer is entitled to a full refund.
  • Remember: if you don't inform your customer of their 14-day withdrawal right, the withdrawal period will extend to 14 days + 12 months.
  • The button customers need to click in order to place a binding order, needs to clear. It is important that the chosen expression clearly conveys that: 1) customers are getting legally bound 2) to a contract that requires them to pay. So, for instance, a button saying “confirm order” would probably not be considered clear enough.
Publishing the terms & conditions
Having them is not enough: you have to place your T&Cs in a way, that customers are virtually forced to be aware of them. If you fail to do so, you run the risk that your T&Cs won't be considered part of the contract closed with customers. Therefore, the most common and safe solution is to place a check-box + link to the T&Cs right above the button customers have to click in order to place an order: if the box is not checked, the button stays inactive.
 
T&Cs must be available in a way that customers can download, save and print them.
This article is provided by iubenda. iubenda helps small businesses craft privacy policies and other legal documents for their websites, social media and mobile apps.
Want 25% off your first year (or first month on volume licenses) of iubenda? Download the Offer Pack below to claim your deal.
Ready? Kick off your business with some killer discounts.
Enter your email to access our small business offer pack, loaded with exclusive deals from Prezi, 99designs and our other Starter Kit partners. 
 
We'll also send you the occasional marketing email and promotion (which you can opt-out of anytime).
Lucky! You just got some insane discounts.
Download the offer pack and start claiming those deals!