Here's what you need to consider about hosting your Terms of Service and/or Privacy Policy: while you're not specifically required to host the legal agreements on your company website, you must keep the agreements available online so your users can read them.
Hosting your legal agreements matters
There are two reasons why the location of your legal agreements (be it a Terms of Service and/or a Privacy Policy) is important: user access and correct association with your company.
Current laws require that users can find and read your documents, but also, it needs to be clear to them that the documents are associated with your company.
This not only forces you to consider the location of your documents but also brings up important considerations when drafting them.
Access
Hosting your Terms of Service and Privacy Policy on your own website is the preferred option.
Many companies prefer maintaining HTML versions on their website and you would be in good company if you did the same. However, doing so is not a legal requirement.
Other companies often consider using a hosting site like GitHub to store their agreements.
You have these options because complying with requirements depends not on the location of your documents but on how easily your users can access them.
In the U.S., the Ninth Circuit case Nguyen v. Barnes & Noble, ruled that users must have actual notice of the Terms of Service and Privacy Policy.
This includes providing a link to these agreements, but also a notification that the user must agree to the terms. Without these elements, your Terms of Service may not be enforceable.
Having a Privacy Policy is mandatory in several jurisdictions including the U.S., Australia, the U.K., Canada, and the E.U.
Like the Terms of Service agreements, Privacy Policies must also be accessible to your users.
In the U.S., both the Federal Trade Commission and the California Business and Professions Code require that the Privacy Policy be conspicuous and "reasonably accessible."
Therefore, the location of your agreements only matters to the extent your users can find them.
If your website presents the link to the Privacy Policy conspicuous and provides a link to your Terms of Service, you should be normally within the requirements.
As long as it's clear to your customers where they can find these agreements, where you maintain them is not relevant.
Correct association
In addition to your agreements being accessible to your users, it also has to be clear that they are relevant to your company and website.
This is an important consideration while drafting your agreements: besides adding your company name into the agreement also consider including the web address and references to your products, including mobile apps.
This helps users know that the policies are designed for your websites and apps.
Gowstuff, an online community devoted to gardening, gives its registered name and the website address for its forums.
The same is recommended for Privacy Policies:
ClassDojo, which offers lesson plan material for teachers and learning opportunities for children, takes this approach with both its Terms of Service and its Privacy Policy.
Since its services are offered through a website, app, and purchased products, its agreements cover all of this ground.
ClassDojo's Terms of Service covers the same details as its Privacy Policy:
How to make your agreements available
Even though the actual location does not control whether you comply with the legal requirements, many companies want ideas for hosting the Terms of Service and Privacy Policy agreements.
Self-hosting
Self-hosting the legal agreements on your own website and linking to those agreements is the preferred strategy. When a user clicks on the link, it opens up an HTML version (the web page) of the agreement.
Most websites place these links at the footer of a page, at the bottom of a web page. Most websites choose to host the agreements on their own pages.
This is a strategy adopted by GrowStuff:
Kidizen, a children's clothing resale service, also makes its documents available through footer links. Since this is a standard through the industry, any user who wants to find the Terms of Service or Privacy Policy of Kidizen knows to look straight to the website footer:
Since this is so common, it's likely you'll choose the link format for your company as well.
However, if you offer multiple products and services, and different agreements for them, you likely want to consider a platform that accommodates multiple documents better.
GitHub
GitHub is a project development platform that facilitates communication and sharing open source technologies.
It has another function which has proven useful to many web and app developers: it can host documents.
Growstuff maintains a GitHub page that displays its Terms of Service and Privacy Policy but also other agreements. As you can see in the screenshot, GitHub keeps these agreements organized and accessible:
Your GitHub must be accessible. This is often also done with links whether it is an "agreements" link that takes users straight to the GitHub page or individual links to GitHub documents.
The links circled here are pages hosted on GitHub rather than on GrowStuff's website:
If your business is especially document-heavy, you may prefer GitHub to multiple links. You can either link to each document or provide a broad "agreements" link that takes users straight to your GitHub page.
You can also take the approach ClassDojo adopts and reference your GitHub pages if you want to show revisions of your agreements:
However, since they are specifically mentioned in laws throughout the world, you always want to give the Terms of Service and Privacy Policy their own conspicuous and obvious links.
Formats for legal agreements
Most online businesses give the public access to their legal agreements - Privacy Policies, Terms and Conditions, etc. - by providing a link that takes the user to a web page where the text of the legal agreements can be found and read in an HTML format.
However, some businesses are choosing to provide PDF versions of their legal agreements instead of a simple web page/HTML version.
Is this legal, or must a website only host legal agreements in HTML format?
A mandatory format isn't defined, nor are any formats explicitly forbidden.
The California Business and Professions Code's relevant section (Division 8, Chapter 22. Internet Privacy Requirements, Section 22577(b)(5) states that "any other reasonably accessible means of making the privacy policy available for consumers of the online service" is adequate posting of the agreement:
The California Online Privacy Protection Act (CalOPPA) only requires that the agreement be posted conspicuously on the website.
"Conspicuously" is defined as either having the agreement itself on the homepage of a website, which is rarely done, or providing a link that’s formatted to be noticed (capital letters, large font, different color text than the surrounding text,etc.) directly to the agreement's page on the homepage.
No mention is given as to what format the linked agreement must be in. The link technically could lead to a PDF version or an HTML version and still be compliant with CalOPPA law.
The Federal Trade Commission (FTC) takes a similar stance and says that if you do have a Privacy Policy, you should make sure that customers and users have easy access to it by prominently displaying links to it in a number of different ways, from homepage access to shopping cart access for e-commerce sites.
Again, no mention is given as to what format the agreement must be in that the link must lead to.
For countries outside of the US, the same rules, or vagueness of, seem to apply.
The Privacy Act of 1988 in Australia makes no mention of specific requirements for the format of Privacy Policies.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) deals mostly with the information given to consumers within legal agreements, and the requirement of obtaining consent before collecting or using specific personal information. Again, no mention of formatting requirements for a Privacy Policy is made.
The agreement(s) just have to be "understandable and easily available."
In the UK, the Data Protection Act deals with privacy principles and protecting the privacy of individuals, but makes no mention of formats to deliver a Privacy Policy to a user.
There are 8 data protection principles outlined, however they do not provide a clear template for how to comply with the principles through legal agreements. General terms such as "fair", "appropriate" and "adequate" are used.
With such vague language, it can be argued that the only true requirement across the board when it comes to posting legal agreements apply to the way the agreements are linked, and the content that's contained in the agreement itself.
There are no real requirements regarding the format (HTML or .PDF or even another format) that the agreements must be in, so long as they are easily available and accessible.
The question now is: Is the PDF format truly as easily available and accessible as HTML is?
The argument can be made that HTML is far more easily accessible to users as every computer will be able to quickly open the legal agreements links and present the agreements in a new web page in HTML format.
Mobile devices will also have no issue here because mobile devices and their operating systems have built-in PDF readers.
For a PDF-formatted agreement to be read on a computer, the user will have to have some version of Adobe Reader or other PDF reader software installed on his computer.
While downloading and installing a PDF reader software can be done quickly and for free, it is one extra step that may complicate things for some users. This may sway the argument towards the side that says HTML is the better, more easily accessible format to present legal agreements in versus PDF.
However, either method is legally acceptable, considered easily accessible enough to meet legal guidelines, and both formats are widely used.
Examples
Here are a number of different websites that put their legal agreements in the PDF format, as well as some that stick with HTML format instead.
Legal agreements in HTML format
DHL provides an HTML version of its main legal agreements, all accessible from one main page with convenient top tabs to switch between the Masthead, the Terms and Conditions, and the Privacy & Cookies policy.
Sprint also takes the approach of using HTML to put all of the legal agreements, including the Privacy Policy page and Terms and Conditions page, and other informational sections for consumers in one easy-to-navigate page and menu.
This is definitely a more convenient setup for users to navigate and view all documents in, rather than needing to open a dozen different PDF files for each different policy or notice.
Legal agreements in PDF format
AMP, an Australian-based bank, provides typical footer links to its legal agreements.
When a user clicks on its Terms & Conditions link, the text of the agreement is presented in HTML on a separate webpage.
However, when a user clicks on the Privacy Policy link, the user is taken to a page that provides additional links in a "Privacy Downloads" section.
When a user clicks on the Privacy Policy link under the "Privacy Downloads" section, a PDF version of the Policy opens. That is if a user has a PDF reader software downloaded and installed on the personal computer.
The option to download the document and conveniently save it locally on a computer does add a perk to the use of PDF format over the HTML format, but accessing HTML pages for reference is just as easy and convenient in most cases and for most people’s needs.
Crashlytics also provides standard footer links for its legal agreements. Note the "(new)" notation next to each link that conveniently lets users know right away that there have been updates to the agreements. This is a nice touch that lets users know to look for updates.
Both the Terms of Service document and Privacy Policy document are provided in PDF format. Here is the screenshots of its Terms of Service:
And here is the screenshot of its Privacy Policy:
The ShareASale website provides 2 legal agreements in the informational footer of the site, both in PDF format.
The Merchant Terms of Use document opens up on company letterhead:
The Privacy Policy document is shown in the image below:
The National Institutes of Health have a mix of PDF and HTML formats for their website. The Privacy Notice page shown in the image below, from the website's footer, is linked to an HTML page.
National Institutes of Health's Privacy Policy is hosted as a simple HTML page:
However, there are other policies on the NIH website that are in PDF format, such as the "Rules and Regulations for Peer Reviewing".
The NIH website seems to put the basic legal agreements, such as the Privacy Policy and Intellectual Property Policy page in HTML format, which is generally more widely and easily accessible to everyone.
More specific, specialized policies, rules, and regulations that don't apply generally to everyone who visits or uses the website or NIH's services are more likely to be in the PDF format.
The College of William & Mary puts all of its program Policies and Procedures page in PDF format.
However, the "General Policies and Personnel Policies" pages are a mix of HTML and PDF.
While there are no explicit requirements in any law or act that call for a website to present legal agreements in one format or another (HTML or PDF, for example), there are requirements that these agreements be easily accessible to users.
HTML does seem to be more convenient and accessible for all users, as HTML capabilities are automatically built into every web browser and mobile device.
However, with the wide use of PDF readers, and mobile devices' capabilities to read these files automatically, either format is widely used and widely viewed as acceptable as well as legally and socially adequate.
Since there are no legal requirements of where your Terms of Service and/or Privacy Policy must be hosted on, including its format, the decision depends on your resources and the amount of time you want to spend maintaining these agreements.
Consider the following:
- Website reliability.If your website server is normally reliable, it's likely a safe place to keep your essential agreements available to your users. There are companies that maintain documents on their websites and on a hosting service like GitHub as a backup method.
- IT resources.Making the Terms of Service and/or Privacy Policy available in PDF format means there's less HTML to program.
- Number of agreements.Kidizen and ClassDojo have multiple products and services but do not need separate agreements for each. Therefore, using links works well.
However, if your products are different and require unique agreements, you may want to find a better way to maintain them to avoid clutter.
If your agreements are easily located by your users, it will not matter where you host them.
Consider the attributes of your company and products first then decide the best way to make your Terms of Service and Privacy Policy accessible.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.