5 mistakes small business make on their terms of service and privacy policy

Starting a business takes an extreme amount of work. There’s countless hours spent on developing your product, graphics, websites, business cards, apps, partnerships, and operating agreements, and this is usually before the company earns its first dollar. Somewhere in that tornado of activity is the website’s terms of service and privacy policy. Usually a quick copy and paste from another site will check off this box, and it is time to move onto the more interesting parts of running a business.

The quick and easy route can be very expensive.

What are the terms of service and privacy policy for a website?

What many small business owners do not realize is both the privacy policy and terms of service are the agreement between the business and the user. Failing to abide by these documents expose companies to fines and ligation. These documents may limit liabilities, set choice of law and choice of venue, and state what actions the business will do to protect user and customer information. A business founder would never sign a sales contract or lease without reviewing it in full. However, the same founder may enter an agreement with every website visitor and customer that they pulled from another website and never read. The website visitor probably isn’t reading these documents, until, for whatever reason, they start looking for ways to sue.

Even this website includes a privacy policy and terms of service, including a popup letting you know our standard practices. Without it, we would be inviting a lot of trouble.

1. Copying and pasting from another website, or using a template.

Google employs a lot of very smart attorneys, but their terms of service will not fit every company. Netflix can’t copy and paste’s Google’s terms of service, because while they are both tech companies, what they do are very different, resulting in very different legal issues. These are not boilerplate agreements, but highly tailored to what the company does, how they do it, and where it’s located. If there’s an app, the terms of service will cover the specifics of the app, too. The privacy policy will set the guidelines for what happens to customer information naturally gathered from the app. Edits must be done with an eye on all four corners of the agreement. These agreements will typically reference exceptions, examples, and guidelines within the document. If those references are gone, you may have a huge problem.

Simply put, these documents are not one size fits all.

2. Authorizing the use of cookies.

Nearly every website uses cookies, mostly for innocuous purposes to improve the user experience. For instance, after a visitor dismisses that aforementioned popup, our website saves a small text file on their computer saying the alert has been shown and to hide it on future visits. It helps limit unnecessary popups, which the user should appreciate. Websites have used cookies for decades, saving dozens of pieces of information to improve how the user interacts with the website. However, that may be illegal unless it is spelled out in a privacy policy. There is currently a court split indicating this standard practice may or may not violate the Wiretap Act.

For a business owner, a “court split” means a lot of legal fees before we find out if a court will allow suit. It is much easier to include a section where the user agrees to allow the use of cookies.

3. Setting choice of law and choice of venue.

Here’s another common problem: a business is sued in a court on the other side of the country. The business has never operated there, never sold a product there, and no employee has ever been within hundreds of miles of the court. The problem? The terms of service, copied from elsewhere, states any disputes will be brought in that court, following that state’s law. If you copied Google’s terms of service, you are now stuck paying Silicon Valley attorneys to apply California law in a court in Santa Clara County, California. Plan on plenty of plane trips for hearings and depositions.

If a business is stuck suing a customer for failing to make payments, that suit will have to come in the court specified in the terms of service. If you sue a local customer in a local court, their attorney is likely to have the case thrown out. They can use your own terms of service against you, and toss the case because it’s filed in the wrong court.

This can become an expensive and logistical nightmare frequently encountered because no one ever reviewed what they put on their website.

4. Failing to make the terms of service enforceable.

Remember that popup? Websites don’t like adding popups, especially for something that isn’t driving sales. It is becoming industry standard to include a popup with links to the privacy policy and terms of service. You might remember in May getting dozens, if not hundreds, of emails about updates to privacy policies and terms of service. The European Union instituted the General Data Protection Regulation (GDPR), setting guidelines on privacy policy practices. Those emails were required by GDPR, and provided privacy policy updates and changes. The Federal Trade Commission (FTC) hasn’t put these standards on US companies yet, but you still need to show users and customers had a chance to review the agreements.

It’s not clear if solitary link at the bottom of a webpage ever reached the visitor. Get ahead of both GDPR and possible FTC standards, and use a small popup on your webpage with links to both the terms of service and privacy policy. It could save thousands in legal fees proving those are enforceable.

5. Not doing what is in the privacy policy.

This is surprisingly popular. We explained how Facebook keeps getting in trouble with the FTC: they haven’t followed their privacy policy and terms of service. Facebook has, at times, unintentionally let unauthorized people access to client information. They have also moved their platform improvements ahead of their privacy policy. For instance, a new service might not comply with their old policy. Since the FTC has been very slow with providing guidelines for privacy practices, businesses are more or less bound by their own privacy policies.

For instance, a company gets in trouble when their privacy policy states client info will never be sold or transferred to another entity. For tax or legal reasons, a company may switch from an LLC to an S-Corp, or even switched to multiple entities. Transferring client information could run afoul of the privacy policy. Even using Google Analytics may involve a third party (Google) reviewing information covered in the privacy policy.

This can be particularly dangerous with a copied and pasted privacy policy, or even using an online template. If it’s not what your business actually does, you have broken your agreement and put the company under pretty hefty liability.


Many small businesses don’t understand the importance of having a good terms of service and privacy policy. Avoiding these five pitfalls can save a lot of headaches, but there are many more mistakes frequently seen in these documents. Overlooking the importance of these documents can cost thousands the very first time problems arise. A qualified attorney should review terms of service and privacy policies. Contact our attorneys below to schedule a consultation. Spengler & Agans offers a flat-rate legal checkup for startups and business needing a broad, overall legal review of their business and business practices.

Contact Us