Everything is set up: your website is done, your app finished. You’ve added Google Analytics, submitted to the App Store. And you can envision your users and customers coming in droves. 
 
Except it’s all hypothetical, because next, Apple or Google will reject your app store submission and request your privacy policy. Or, a potential customer will ask for your shipment and returns policy and you won’t know what to tell them.
 
As much fun as the product part can be, there are legal requirements you need to take care of before launching. These are some of the requirements that every website/app owner must know about:
  1. Providing a privacy/cookie policy
  2. Providing a terms & conditions document for your business
  3. Running email marketing campaigns without breaking any laws
  4. Advertising and communicating your product/service in a lawful way
The following can not be considered legal advice, nor initiate any attorney-client relationship. By reading, however, you will learn the basics from the experts at iubenda who deal with privacy and terms documents daily.
Child's drawing of flowers and sunshine

1. Provide a privacy policy for your website and app

You have made an app which lets kids draw and share their drawings with friends. You’ve also made a website that includes promotional material. You’re finally ready to go live and submit to the App Store. Within the week, however, you will be contacted by Apple, telling you your app has been rejected because it’s missing a privacy policy. Your website is similarly missing a privacy policy.

It’s a simple fix: add a privacy policy to your app and website. But if you’re not a lawyer, creating these documents can be intimidating.
 
The many reasons why you need a privacy policy
 
Privacy policy regulations in North America vs Europe
Europe and Canada have strict privacy regulations. The United States on the other hand doesn’t have a federal law establishing universal rules regarding privacy policies. However:
  • Some states in the US have implemented more stringent regulations for privacy policies, like the California Online Privacy Protection Act of 2003, which states that "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site" therefore extending that requirement onto sites outside of California with potential Californian users.
  • The US has a universal privacy regulation when it comes to children under the age of 13. Read the details below under “COPPA”.
Privacy policy for Google Analytics
Many third party tool providers such—as Google Analytics (or Google AdSense, AdRoll, Google AdWords, etc)—request privacy policies from their users. For example, this is what the terms of Google Analytics state: “You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies.”

Privacy policy for the App Store 
  • Apps in the Kids category are required to display a privacy policy in order to be accepted.
  • Apps that include Apple Pay, HealthKit, HomeKit, Keyboard Extensions, user registrations will be rejected outright without a privacy policy.
  • The situation is similar on Google Play and other app stores, they either require a privacy policy outright, or they urge you to follow applicable privacy laws.
Child's drawing of two children with a balloon and sun
Privacy policy for children (COPPA) 
 
The Childrens Online Privacy Protection Act (or COPPA) applies to sites and apps that target kids under the age of 13, or to general audience websites with actual knowledge of personal data collected from children under 13.
  • If a site satisfies either of these descriptions, personal information cannot be collected from children without parental consent.
  • COPPA also imposes other restrictions requiring notice, parental access to information and the option to change it, the ability to opt-out of future information collection, and assurances of information security.
How to write a privacy policy

The exact contents of a privacy policy depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions.
 
These are the common elements that a privacy policy should have:
  1. Who is the site/app owner?
  2. What data is being collected? How is that data being collected?
  3. For which purposes is the data collected? Analytics? Email Marketing?
  4. What third parties will have access to the information? Will any third party collect data through widgets (e.g. social buttons) and integrations (e.g. facebook connect)?
  5. What rights do users have? Can they request to see the data you have on them, can they request to rectify, erase or block their data (under European regulations most of this is mandatory)?
  6. Description of process for notifying users and visitors of material changes to the privacy policy
  7. Effective date of the privacy policy
Publishing your privacy policy
 
Privacy policies should be drafted in plain and uncomplicated language. The privacy policy should be translated into the same language that your site/app is translated into; you want the users who understand your site to be able to also understand the privacy disclosures.
 
You should also:
  • Publish a clear and prominent link or button labeled "privacy policy", “privacy notice” or similar on the home page, which directly leads to the privacy policy.
  • Make it accessible from everywhere on the site (in the footer is a natural and widely used choice).
  • Display a clear and prominent link to the privacy policy at the location where personal information is collected & add a statement like the following: "NOTICE: We collect personal information on this site. To learn more about how we use your information, click here." (You may also require explicit consent, or opt-in, in some legislations like the EU.)
  • If you’re publishing a mobile app, you would usually link the privacy policy on the same level as other menu items like “Settings”, “About us”, “Privacy Policy”.
Read a full article on posting of a privacy policy.
 
iubenda can help with this process by providing a generator that assists with the creation and maintenance of a privacy policy.

A delivery truck

2. Provide a terms & conditions document for your website/app

You’ve fixed the privacy policy issue on the site and in the app. You are, however, also selling and shipping your brand’s merchandising on your site. A customer asks about your shipping and returns policy. This is what you will address in a terms & conditions document.

Terms & conditions, much more than the privacy policy, are highly dependent on your activity and the laws that apply to your particular business. Nonetheless, there are some common rules of thumb.
 
Why have a terms & conditions document?
 
Sites or apps often overlook the importance of the terms & conditions. As a legally binding agreement, the terms & conditions document is like any other contract: among other purposes, it determines the rights and obligations of each party and the allocation and disclaimer of risk.
 
The main purpose of terms is to protect yourself and your company. Not having them may result in your business being liable if a user abuses your service or acts unlawfully or your business being forced accept extreme conditions as the example below for “withdrawal” shows.
 
All of this information should be provided before the user starts using the services or before a purchase is completed. The most common route is to bundle as many of these details into the terms & conditions as possible. Then you direct your users in such a way that they are going to read them (e.g. the user is required to click a button labeled ”I agree," and told that clicking signifies consent).
 
How to write the terms & conditions document
 
These are some common elements that a terms & conditions document often have:
  • Identification of the business (geographical and email address)

    European online businesses are, in most cases, required to post the company's name, postal address (registered office address if different) and email address, the company's registration number (in a trade register), any trade or professional association memberships as well as the company's VAT number. That information must be disclosed based on EU Directives and their corresponding national implementations.

  • Description of the service that your site/app provides
  • Terms of delivery or performance
  • Grant of rights of use and limits on such use
  • Terms, conditions and methods of payment
  • Restrictions, limitations or conditions of purchase, such as parental/guardian approval requirements, geographic or time restrictions
  • Instructions for proper use including safety and health-care warnings
  • Information relating to available after-sales service
  • Allocation of risk and limitations on liability
  • Available warranties and guarantees
  • Details of and conditions related to withdrawal, termination, return, exchange, cancellation and/or refund policy information

    In the EU, consumers profit from a right of withdrawal that allows them to cancel the contract and send back their goods in many cases (provided that the deadline to exercise this right is met). If you don’t inform your consumer/buyer of their 14-day withdrawal right in the terms, that withdrawal period will extend to another 12 months (!).

    In the United States, shipment information should be outlined in the terms, if you don’t make a promise, then you should ship within 30 days. If you can't ship within the promised time, you must notify the customer of the delay, provide a revised shipment date and explain his right to cancel and get a full and prompt refund.

    In the United States, many states have laws addressing returns/refunds. For example, California law states that merchants are required to clearly post their refund policy unless they offer full cash refund, exchange, or store credit within seven days of the purchase. If a business violates this requirement, customers may return goods for a full refund within 30 days of the purchase.
Publishing the terms & conditions:

Similar rules apply here as for the privacy policy: make the terms accessible, clear and complete in writing, in all the necessary languages and with a clear and prominent hyperlink.

Other considerations for posting of a terms & conditions document:
  • Make them available in a way that allows the terms to be stored and reproduced by your users.
  • Integration with the purchase process: ideally, the user should be required to check a box to indicate that he or she has read, understood and accepted the terms before completing the sign up or sales process.
  • Accept button: the accept button should only work when the accompanying radio box has been checked (and the user cannot proceed without consent).
Lots of email symbols

3: Run email marketing campaigns in a lawful manner

You’ve fixed the terms. Business is going well, but you think it could be even better if you did some email marketing. You have collected emails from people who visited your site and signed up to your newsletter. What now?

 
If you your business is sending commercial emails, you must comply with the US CAN-SPAM Act.
 
If any of your users are US citizens, you must follow its requirements. The rules can be summarized as follows:

  • Include your physical postal address in every email being sent
  • Tell recipients how to unsubscribe from receiving future email from you
  • Don’t use false or misleading email header information
  • Don’t use deceptive subject lines
  • Identify the message as an ad
  • Honor unsubscribe requests promptly
You should also monitor if other parties doing email marketing on your behalf are honoring the rules as well.
 
Depending on the legislation, some messages may be exempt from these rules if they are of a transactional/relational nature. The definition of what may be defined as transactional changes from country to country. If you are sending email to Canadian users, for example, you might want to adopt the very strict rules set by the CASL, Canada’s Anti-Spam Legislation. Europeans should consult the Data Protection Agency of the EU-country in which their users reside.
 
That being said, Canada and Europe have stronger requirements for sending promotional emails (the so called opt-in principle). These requirements are built around the basic principle that you should only send commercial automated mass emails to people that agreed to receive them.
 
In short:
  • Opt-out (USA): unsolicited emails aren’t intrinsically illegal, but you must follow specific requirements and provide an opt-out method (users can unsubscribe).
  • Opt-in (Canada, Europe): no direct marketing email can be legally sent without the express consent from the receiver, unless a pre-existing business or commercial relationship exists.
Learn more about opt-in vs. opt-out.
Businessman with a lying pinocchio nose in his shadow

4: Advertise lawfully

Your business is flourishing and you want to redo the images and copy on the website and in ads. Are there any other rules here to observe and keep in mind?

Telling the truth in advertising and substantiation of claims are important concepts in the United States and Europe. Rules regarding this requirement can be found in the FTC Act and other rules and guides by the Federal Trade Commission as well as in various European Directives specifically aimed at protecting the rights of consumers. As rules of thumb, your communication should be truthful/not misleading. You must be able to back up your claims with grounded evidence (this is commonly referred to as “substantiation”):
  • According to the FTC Act, a claim can be misleading if relevant information is left out or if the claim implies something that's not true;
  • Claims must be substantiated with particular detail when they concern health, safety, or performance. The type of evidence may also depend on the product, the claims, and what experts believe necessary.
You must also clearly disclose advertising and marketing materials or sponsorships. For example, if you’re publishing content (e.g. product reviews) in exchange for payment, or while receiving some sort of benefit that may have influenced your judgement, you must publish a disclosure notice.
This article is provided by iubenda. iubenda helps small businesses craft privacy policies and other legal documents for their websites, social media and mobile apps.
 
Design tips & business trends in your inbox?
Subscribers to our newsletter have been scientifically proven to be smarter, better looking and at least 50% more awesome than average.
You're in!
You proved us right again. Our newsletter is only for the coolest kids. And you’re one of ‘em. Get ready for amazing stuff in your inbox.