A boutique law firm of exceptional quality and talent where clients' and lawyers' interests are aligned by collaboration and innovation
Are your website and app terms and policies a tick-box exercise, or something critical to your business?
A business’s online assets can be:
• a shop window to show off brand, images and creative content
• an e-commerce platform for physical or digital goods and services
• where it publishes corporate information
• a marketing centre, including competitions and special offer codes
• a training centre, or resource hub
• a news source
• a directory
• a community, where users upload content, share it and comment on it
all of which can mean that online assets include intellectual property, personal data, confidential information and business-critical information.
Website and app owners, developers and operators invest time and money in bringing their business to market. Their budgets are tight and there is usually pressure to generate income. No amount of testing in a closed environment can match testing a site or app in the real-world, where real usage data can be analysed to identify how improvements can be made.
There is no gatekeeper to prevent a website owner from publishing a website without including terms of use, a privacy policy, a cookie policy or an acceptable use policy. As a result, the terms, policies and notices on websites vary, and many fail to comply with regulations. Some businesses fail to add any terms at all; some seek to save costs by using generic templates; some rely on online subscriptions for (slightly) less generic templates. Many also sell goods or services without specific terms and conditions that cover statutory rights like refunds, cooling-off periods, and deliveries.
Apps, on the other hand, usually cannot be published on a tech provider’s platform (e.g. Google Play, Apple’s AppStore) without publishing terms and policies. Often the motivation for the app developer or owner is to release the app as soon as possible. This can mean that terms and conditions, policies and notices are viewed as boxes to tick to obtain access to the AppStore or Google Play, rather than key compliance documents, protections for the owner and a reflection of their brand ethos.
Unfortunately, if a website or app owner does not take its terms of use and policies seriously it exposes itself to risks including regulatory breaches, restrictions, and fines, compromised intellectual property and greater expense when it takes action to protect itself. The business’s reputation with clients, customers, users, subscribers, and investors can take a significant hit, with consequences including a lack of trust in the website or apps, users quitting the site, users deleting the apps, ending subscriptions or withdrawing investment.
However, a website or app owner that does tailor its terms and conditions to its business will be investing in the sustainability of its business and protecting itself from the all-too-common pitfalls of online assets.
What should a website or app owner know about terms, policies, and notices?
Intellectual property and confidential information
One of the primary areas to cover in terms of use is intellectual property and confidential information.
A business would not usually leave all their information in one place, especially one where anyone could take it away and use it for their own purposes. But websites fall under the “everyone else does it” fallacy, both from a provider and a user perspective. Website and app owners often publish content online that they would not otherwise make freely available. Users often incorrectly believe that anything published on a website is free for them to copy (or “scrape”) and use as they wish. Some users may deliberately scrape the site for data in full knowledge that they are breaching intellectual property rights.
The widescale scraping of websites to provide the data required for AI (notably large language models and generative AI) has drawn online intellectual property into particular focus. Governments and regulators are facing demands from AI technology companies to legitimise the practice, or at least to create an exception for use in large language models. Understandably there is strong resistance, particularly from the owners of copyright in literature, pictures, audio content and video. When huge and powerful companies scape data, protecting intellectual property can seem daunting to the average website and app owner.
Transitional Arrangements
However, website and app owners can take proactive steps to protect themselves and place them in a stronger position should their intellectual property rights be breached. They should assert their rights in their terms of use and apply notifications in appropriate places, such as the copyright notice or trademark notice. There are also practical steps to take, but they depend on an understanding of the intellectual property on the site/app. For example, does a list of information set out on the site or app constitute a database that may have additional database rights? What about design rights, domain names, logos, images, text, and video?
Businesses invest heavily in building up their intellectual property, but many websites do not feature prominent assertions of copyright, design rights and database rights – or even refer to them in their terms and conditions. It is essential to review the intellectual property displayed on a website or app (or otherwise accessible to third parties) to understand:
If in doubt, seek advice.
Social media, forums etc.
In addition to terms of use, where a website or app permits the users to upload or contribute to the site or app platform, it is open to the broad range of behaviours of global internet users. Recent legislation to prevent online harms in the UK has placed additional responsibilities on website and app owners, complementing existing laws to protect users of their platforms. The safeguards and processes that a website or app operator must have in place should be reflected in the acceptable use policy. Users should be in no doubt as to what behaviour is acceptable or unacceptable, or what the consequences of unacceptable use are. Owners and operators should be confident that the measures taken to protect users are robust and enforceable. Acceptable use policies have never been as important as they are today. A good policy will be more than a template – it requires an understanding of the website and app, the way data is used and treated from the moment it is uploaded or ingested into the system, the tech architecture behind the site or app and the safeguards implemented by the operator.
Online sales
Terms of use must be user-friendly, as well as being relevant to the business and compliant with laws and regulations. If the website or app includes the sale of products and services (including training courses), the owner should consider whether terms and conditions of sale should be included in one lengthy terms of use page or separate terms for the applicable product(s) or service(s). Either way, the terms must be compliant with the laws for selling online, whether selling to businesses or consumers. Pop up boxes, payment processes and follow up emails all must contain specified information about buyer rights.
When a website or app connects two parties it may require various categories of users, such as buyers and sellers. Users may be both buyer and seller, or they may be distinctly one or the other. Where they are distinct, the terms for one are different to the terms for the other. For example, the website or app owner may choose not to reveal its terms with a seller to the buyer, or anyone else, so as not to give away the business model. Whether or not they are openly available on the site, multiple sets of terms must be compatible with each other and with those terms that are openly available.
Personal Data
If a website or app collects or processes personal data, it should have a privacy policy. In the UK GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
A website or app owner is likely to be a data controller if they exercise overall control over the purposes and means of the processing of personal data. Data processors act on behalf of, and only on the instructions of, the relevant controller.
Businesses and individuals are obliged to register with the ICO if they process personal data. Looking specifically at websites and apps, some common examples of where personal data is used include:
• Log-in details
• Contact details
• Photographs
• Interactive communities, gaming, message boards and forums
• Online training courses and registers of qualifications
• Any data tracked to personal data (facial recognition, cursor movement, time spent on page etc)
• Data uploaded by the user, such as progress towards a specified goal
If a website or app owner relies on “legitimate use” to process data, it should use the ICO’s tools to confirm that it is legitimate use and follow their advice, such as conducting a legitimate use assessment. If the owner relies on consents in pop-up boxes, the language of those consents must cover all the uses that they will use the personal data for. It must also comply with the data protection and privacy laws and regulations.
Most websites will use cookies. Cookies are also covered by data protection and privacy laws, making a cookie policy necessary. Anyone using the internet will have seen a cookie notice requiring the user to select which cookies they consent to, but many websites still have no notice at all, or only a simple notification that cookies are used. Typically, the website was compliant at some point in time, but regulation change and updates should be captured in regular reviews.
Consequences of failing to give the right notices and collect the right consents include increased likelihood of time-consuming subject access requests from users and complaints to the ICO. If a complaint is upheld, the ICO has the power to impose some eye-watering fines (including a percentage of global turnover), depending on severity of the breach. The associated publicity will lead website and app users to consider whether they continue to use the site or app. Just seeing notices and policies that don’t seem to be tailored to the business of the site or app will cause potential investors to think twice, but fines from the regulator will make them question the value of an investment.
Policies and notices on websites and apps are not just tick-boxes – they are a marker of the professionalism of an organisation.
Competitions and special offers
A favoured way to direct users to a website or to download an app is to run a competition or a special offer campaign. Competitions are subject to specific regulations (e.g. gambling regulations) in the UK and competition terms must contain key provisions to be compliant. Usually, those terms are posted to a page on a website. Special offers may be captured in other terms, but an asterisk and a link to specific terms may provide more flexibility.
Dovetailing terms
Websites and apps usually have combinations of terms of use, membership terms, and terms and conditions of sale (goods and services). In addition, they have privacy policies, cookie policies, acceptable use policies, notifications, and consents. Each of these documents is likely to cross-refer to one or more of the others, so they must always be considered collectively rather than in isolation.
Where the owner creates a new set of terms, or amends an existing one, it is important to ensure that the new set or amendment dovetails with all other terms, policies, and notices. An inconsistency between two sets of terms can lead to ambiguity that compromises the owner’s position should it choose to enforce a breach, for example, to protect its intellectual property. Maintaining and updating only one set of terms, or one policy, can leave gaps in complying with regulation, with the resulting potential for regulatory attention, fines, and reputational damage.
These are only a few of the common issues relating to website and app terms - there are many more to consider, such as e-commerce and payments, cyber-security, third party and licensed content, third party providers, flow down of terms from hosting or cloud providers, but those set out here will be important to almost all website and app owners.
The first step to creating terms that reflect your business goals, comply with the law, and integrate properly between terms, policies and notices is to have a lawyer review everything that you have in place. They can work with you to create a strategy to ensure that you know:
James Teare has helped clients and businesses to be ready for investment and divestment for over twenty years, both in private practice and in-house. As a lawyer with a keen interest in technology, he has also developed apps and been through many of the issues faced by software development companies with his own business. James draws on both his legal knowledge and practical experience to understand clients’ businesses and tailor advice accordingly. He offers a fixed fee service for an initial assessment of a product or business and outline strategy for preparing for due diligence.
To discuss any of the above further, please contact James: jamesteare@bexleybeaumont.com | 07709 733459
