As with many legal services, business owners frequently have questions about the cost of drafting Terms & Conditions and Privacy Policy agreements.
Here is the short answer: there is no "fixed" cost for these agreements.
You will not find "one set price" for these legal agreements that your website or mobile app requires. Prices for a Terms & Conditions (T&C) or a Privacy Policy vary dramatically.
Every business has different needs that must be considered when drafting a Terms & Conditions or a Privacy Policy agreement. These needs, elements, and circumstances determine the costs.
Everything from your business industry to your unique intellectual property needs are considered in assessing the cost and complexity of your online agreements.
Websites vs mobile apps
Your legal agreements are simpler if you run one website than if you run an online service with a mobile app (i.e. SaaS app)
You may be able to create a Terms & Conditions and Privacy Policy agreement from a simple agreement, especially if your business industry and the services you provide do not fall under restrictive laws. This would cost you less because of the simplicity.
If you run both a website and a mobile app, your legal agreements must refer to both of them--or make a statement in the beginning explaining that the terms apply to all your services.
User-generated content
If you provide a website or app that hosts user-generated content, your legal agreements just became more complicated and more costly.
Any website or app that encourages users to submit content (text, images, video, audio) must explain copyright ownership and any rights the service retains in that content.
One example of this is Medium, a platform that allows writers to share content to a wide audience. Its Terms of Service explains that while writers may use the platform to share their work and ideas, Medium retains a "nonexclusive license" to use items for promotion purposes:
Here's another example by ROBLOX which provides a platform for users to create games. The section on user-generated content also contains disclaimers since games often involve complex elements not included with online articles:
The issue of user-generated content becomes more difficult if that content is provided by children.
Disney Jr. does not get into licenses and copyrights as much as it does for privacy rights under the COPPA law:
Since user-generated content raises the risk of copyright violations, any infringement by a user can also transfer liability against you.
Due to the Digital Millennium Copyright Act (DMCA), a developer who hosts material that violates copyright protection laws can be held liable along with the infringer.
The way to avoid this liability is the DMCA takedown process. This involves providing a means where third parties can report copyright violations so you can remove them from your platform.
ROBLOX provides a process in detail in its Terms & Conditions agreement:
Depends on your business industry
Every business industry handles personal information differently. The industry your business operates in and the sensitivity of the personal information from customers you handle determine the complexity of your Terms & Conditions and Privacy Policy and, as a result, the cost.
The differences between industries are most apparent in privacy requirements.
Medicine, for example, requires detailed Privacy Policies and information protections that are not needed by a simple mobile game. Health services, and the apps and websites that assist these services, are bound by additional data requirements.
A mobile game is still be required to keep up with basic privacy laws but those are not nearly as thorough and complex as laws like the Health Insurance Portability and Accountability Act (HIPAA).
Here's an example. AmeriHealth, a health insurance provider, mentions HIPAA across its webpages. Its online services contain access to health information from patients which makes this step necessary:
Mentions of HIPAA are also apparent in the Privacy Policy, like in this example from HealthTap:
The same is true with Terms & Conditions agreements.
Developers who create mobile games often need rules of conduct for their users as well as intellectual property protection for game elements like music, characters, stories, and other unique characteristics.
However, a business operating a cloud-based service for a law firm may not require conduct rules but must offer terms that allow for enforcement against illegal activity, like copyright infringement.
This is one reason why cutting and pasting the Terms & Conditions and Privacy Policies used by other companies is never recommended.
There is a good chance that subtle differences between your company practices and the practices of your closest competitor prevent this competitor's Terms & Conditions agreement from working for you.
Depends on your services
Your business services also determine the complexity of your Terms & Conditions and Privacy Policy agreement. It's often the subtle differences that make it necessary for you to have a customized agreement.
For example, you may provide cloud-based document storage.
If you provide this service to healthcare providers in the U.S., you need to comply with HIPAA along with any other data protection laws, like the California Online Privacy Protection Act (CalOPPA).
However, if you do not provide your document storage services to medical professionals, you're limited to only privacy general laws (CalOPPA, in this case).
Therefore, you do not want to copy a Terms & Conditions or Privacy Policy from a non-health document storage company if you handle medical records.
A mobile game requires different rules in the Terms & Conditions than a dating app.
The unique functions of your business website or app require different terms that are not interchangeable.
Possibility of a merger or business sale
If you're creating a company in hopes of selling it, you need your legal status firmly in order.
That is due to the "Business Transfer" clause present in most Privacy Policies. Normally located in the section listing when you share user data, it explains that data transfers to the new entity if your business is sold or acquired.
This is how SurveyMonkey addresses this issue:
In addition to explaining that data transfers with the rest of your assets, the provision also keeps the current Privacy Policy in place. SEEDRS makes that reference directly:
Keeping your Privacy Policy in place after a transfer is good practice. It offers consistency to your users when your app and entity changes hands. However, it can also produce potential liability.
A larger company evaluating your company for purchase wants to obtain your innovation, not assume new legal liability. If a Privacy Policy or a Terms & Conditions agreement is inadequate because you pasted together a few forms, the acquisition of your business could fall through because the buyer does not feel reassured.
The more personal data you collect, the more effort you must make in creating a Privacy Policy that reassures users and potential buyers. Depending on the complexity involved in providing this protection, you may pay more to secure the proper reassurance.
Controlling laws
Your app or website may be subject to unique laws. HIPAA was an example above, but these can also include:
- Ecommerce regulations, including those regarding distance selling
- Unfair trade acts
- Privacy laws concerning children
There are more laws affecting Privacy Policies than Terms & Conditions agreements. While the Terms & Conditions agreement is considered a contract where any terms work as long as they are not abusive, Privacy Policies fall under particular laws.
One of these includes the EU Cookie Law. The provisions of this privacy legislation require clear consent from your website visitors before you use cookies to collect data from them.
If you perform business in the EU, your business is affected by this "Cookies Law".
Trello addresses this in its Privacy Policy in which it describes cookies and indicates that visitors can refuse them. This would be in compliance with the EU Cookies Law:
If you do not use cookies or somehow cut off all EU access to your website, you may not need a Cookies Policy agreement or you can at least get away with a brief one.
The Children's Online Privacy Protection Act (COPPA) is a U.S. law that definitely needs addressing if you provide services primarily to children.
If you were to copy from a Privacy Policy or Terms & Conditions from an app or website that does not market to children, you could miss provisions required by this important law. This would include statements that parents can request and remove information regarding their children.
Disney, Jr. addressing this in its "COPPA Privacy Policy":
Vulnerability to liability
Liability is the central theme to why you want good Privacy Policies and Terms & Conditions. Many businesses include general disclaimers that fit well in a Terms & Conditions agreement.
Amazon offers an example:
However, websites and apps offering what appears to the general public as professional service should proceed cautiously.
These websites and apps may face additional liability because their services are often interpreted as professional advice. They may disclaim this in a separate document, like a disclaimer, or place an additional disclaimer in the Terms & Conditions.
WebMD takes this approach since it offers medical information:
Even games require disclaimers at times.
Although a game like Pokemon GO does not share information like Lexoo or WebMD, it comes with its own share of safety precautions:
As a conclusion, there are many factors that could affect the complexity, and thus the cost, of your Terms & Conditions and Privacy Policy.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.