A Privacy Policy Can Help You Avoid Violating Your Vendor Contracts

A Privacy Policy Can Help You Avoid Violating Your Vendor Contracts

We just read the Terms of Use for 39 websites so you don’t have to.

There’s an easy way to make sure that your website does not violate the Terms of Use of the third-party services it needs to operate: have a privacy policy on your own site.

Most websites are integrated with a host of third-party tools, either to collect visitor information or provide that same information to others. A WordPress site, for example, may use Stripe to take visitors’ payments and Freshdesk for customer service. The site’s owner often then shares the collected information with other services for use in marketing: Facebook Lead Ads, Mailgun, Google Analytics and more.

All of these named services have Terms of Use requiring you, the website owner, to post a privacy policy on your own site stating how you collect and use visitors’ personal information. These Terms are binding contracts between you and those third-party services, and if you don’t keep your promise to have a privacy policy, you can lose your ability to use these third-party tools.

Violating these contracts can cause serious problems for your business growth down the road. As your business grows, you may consider partnering with other organizations — revenue-sharing deals, brand sponsorships, licensing deals, and so on. You may even get an acquisition offer. And most of these deals will require you to “warrant” — promise — that you have complied since day one with all privacy laws and contractual obligations. This makes sense: potential partners want to know whether they’re about to do business with a company that violates laws and breaches contracts, so they require you to confirm you’re compliant with them.

So does this mean that you should read the Terms of Use for every third-party tool that you use, to figure out whether you need a privacy policy? Yes — but you can skip that step, because we’ve done it for you. We recently reviewed the Terms of Use for 39 popular services that many businesses use to operate their websites or in connection with personal information their sites gather. Here’s what we found:

The Third-Party Services That Require Your Website to Post a Privacy Policy

First, more than half of the services we studied require websites that use them to post a privacy policy. These include Airbrake, Amazon Web Services, Campaign Monitor, Constant Contact, Facebook Lead Ads, FreshDesk, Google AdSense, Google Analytics, Google Firebase, GrowSumo, Heroku, LinkedIn, Mailgun, Stripe, Square (for developer tools), Squarespace, Stripe, Twilio, Twitter and WordPress.com. If you receive visitors’ personal information from any of these services, or share it with them, you’ve contractually promised to have a privacy policy on your site.

Second, some services go further and require you to include very specific language in your privacy policy. For example, Constant Contact requires that your policy link back to Constant Contact’s own website. Google’s AdSense and Firebase products require language about cookies; Twitter does the same if you use it to offer login-with-Twitter. And if you use Google Analytics, your own privacy policy must describe how Google Analytics works.

So what to make of this? First, assume that either your website or one of your other third-party services requires you to have a privacy policy. And building all of your online marketing efforts on a foundation that breaches a host of contracts is never an ideal strategy. Second, even if none of your third-party services requires a privacy policy, the law does. (Specifically, a California privacy law that applies to all consumer-facing websites nationwide).

The good news is that it’s easy and affordable to give your website a legally compliant privacy policy. Ask your business attorney for a privacy policy (or an updated one, if you have not updated it for a few years, because the laws and Terms of Use change periodically). It’s an easy job to tackle as part of an overhaul of your website Terms of Use or updating your online marketing materials, and it can open the door to business partnerships down the road.

The full list of third-party services whose Terms of Use we reviewed in June 2018 is below. Most services update their Terms of Use periodically, so this information may have changed since we published it.

  • Airbrake
  • Amazon Web Services
  • Campaign Monitor
  • Constant Contact
  • EngineYard
  • Facebook API, Lead Ads, Pixel and SDKs
  • FreshDesk
  • Google AdWords, AdSense, Analytics, Drive, Docs, Firebase and Forms
  • GrowSumo
  • Heroku
  • Highrise
  • Libsyn
  • LinkedIn
  • Mailchimp
  • Microsoft Office
  • Netlify
  • New Relic
  • Postmark
  • Square
  • Squarespace
  • Stripe
  • SurveyMonkey
  • SurveyGizmo
  • Teamwork
  • Twilio
  • Twitter API
  • WordPress.com
  • WordPress.org
  • WPEngine
  • Wufoo
  • Youtube
Adam Nyhan

Adam Nyhan represents clients in Maine, Silicon Valley and globally in software, privacy, trademark and business law matters. He is also the co-founder of a Software-as-a-Service startup and a former in-house attorney at a software firm in New York City.