I'm both interested in how startup folks are doing things and doing a little market research. I occasionally see mistakes in SaaS terms or obvious evidence of copy/pasting. An attorney friend and I were discussing a service that helps build TOS/Privacy pages based on common SaaS features/properties.
We copy/pasted & find/replaced from another site or app
I paid a local law firm for a TOS once. It was not cheap, and after I received it, I had to manually edit out the remnants of an unfinished search/replace of another company's name.
One more anecdote: When my service went live, I put a free t-shirt offer deep in the TOS. Only had 1 person ever try to redeem the offer.
wordpress.com's TOS is "available under a Creative Commons Sharealike license, which means you’re more than welcome to steal it and repurpose it for your own use".
Using WordPress.com's TOS is a really bad idea (in my view) if sections 11 and 12 are left in their present form. Those sections could get you into the same type of legal trouble as Blockbuster's TOS got them into in 2009, in the Harris v. Blockbuster case. See http://www.ontechnologylaw.com/using-wordpress-coms-terms-of... for a discussion.
I've mentioned this here before, so I hate to sound like a broken record, but it seems worth repeating.
At a minimum, get your lawyer to review very carefully, and edit, the language of those sections.
They do have a term "If any part of this Agreement is held invalid or unenforceable, that part will be construed to reflect the parties’ original intent, and the remaining portions will remain in full force and effect."
This probably won't be good enough, though, as the "We can do anything we like" term can't be made good.
Perhaps you could add a term "If any part of this Agreement renders the remainder of the Agreement invalid or unenforceable, that part will be considered void, and the remainder of the Agreement valid and enforceable."
But that doesn't explain how you would resolve a part which only conflicts with a few other parts. You could include something about "if any part invalidates or renders unenforceable another part which is written previously on this Agreement, the part which is written later in this Agreement will be considered null and void." That might be dangerous though - a single bad term at the top could nuke the rest of the agreement.
But ... I'm not a lawyer. This is not legal advice. It's not that expensive to get a lawyer to review (and edit) a contract (OK, it's probably as much as a couple of dedicated servers, which might be a lot for a weekend project... but if you have more than one person in the company it's not expensive), and you get the bonus of a contract that actually does what you want it to, not what Wordpress wants. Wordpress probably has different priorities than you.
I used the Automattic privacy policy as a starting place as well. I'm having my lawyer review my draft version, which will be a lot cheaper than having her write it from scratch.
If you'd like to find other CC licensed privacy policies, you can use this search:
It looks like a number of folks who use lawyers said they tried to cut costs by preparing the first draft and then having their lawyer look at it. Curiously, this can actually take a lawyer more time to review (and, hence, cost more money). I'd at least consider asking the lawyer for their base form that is the closest starting point for your business and working from that to prepare your first draft for their review.
Virtually any lawyer that does the same type of work repeatedly will have a set of base forms they usually start from. The cost benefit is that they don't have to review things in as much detail because they are already familiar with it (they essentially draft and review documents as diffs from their base form). If you give them a form they've never seen, they literally have to read (and understand) every word.
This. I use a lawyer. He pulls a TOS off the shelf, edits a few paragraphs and it's done in no time. This is way cheaper (and quite reasonable) than having him review an existing document. It pays to go with a lawyer who knows about these things. This shouldn't be a hard problem.
Here's a question: has anyone ever heard of someone being sued for copyright violation for reusing parts of someone else's TOS or other posted legal document?
I have asked a lawyer this question. His response was:
As for copyright over similar disclaimers, we, as attorneys
have to use language that is acceptable as far as precedent
and current law is concerned, thus, language will often be
verbatim. Because of this there are no problems with
copyright as far as the terms of use are concerned. The
same principle is applied to real estate P&S contracts, as
well as construction contracts and the like.
In the UK I know it's not ok to e.g make a photocopy of a standard construction contract and, I'm guessing, any other type of contract where copyright is claimed by the author. In a contractual dispute, if it can be shown that you do not generally act in good faith, by infringing copyright in this case, it can be used as evidence to call into question your intention to carry out your obligations under the contract and therefore a judge could decide that the other party may be relinquished from thier obligations. UK contract law is pretty complicated though and IANAL by the way.
Edited for clarity.
I am also not a lawyer, but this is clearly not the case in the US. Lawyers are even encouraged by the courts to use identical language so that prior judgements can be absolutely relied upon.
FWIW, we're in the middle of dealing with this right now in the UK, and the legal advice we have received is significantly different to that above. Caveat entrepreneur.
My answer to the poll (for these and most other legal documents) is that we produce a serious draft ourselves first, and then take it to a decent lawyer for review.
Our experience has been that asking lawyers (and accountants) to draft documentation from scratch is rarely cost-effective. If they aren't already very familiar with your business, you're just going to get whatever they can throw together in a couple of hours based on a loose understanding of what you do, partly because you're probably not paying for any more than that, and partly because they probably don't have enough detail from your preliminary discussions to produce something better anyway. Then you're effectively going to rewrite much of it yourself just to explain to them how things really work in enough detail to work with, and you're still going to go and see them again afterwards for fine-tuning.
Edit: We do, however, sometimes have a preliminary call/meeting with a lawyer to find out what sorts of headings we ought to be filling out and ask about any tricky areas so we have some understanding before we try to draft anything. But we still do the drafting ourselves, even if it's just a plain English but detailed description of what we want to say that the lawyers can work on later.
Remember that the lawyer in question is not your lawyer. You probably shouldn't take the above (or, in fact, the below - nothing I say is legal advice, nothing in this thread is legal advice) as legal advice.
I am definitely not a lawyer, but that lawyer's response sounds reasonable, but it sounds like it was also likely under a range of conditions -- in particular, I think if you ever get in a position where you have a bit of a "special" contract (i.e., anything unusual in the broad sense of the term) copyright could very well apply.
Oh, I understand. I'm not duplicating large swaths of text wholesale. Most of it I'm writing fresh -- so given the above, it really sounds like I don't have to worry about borrowing a few phrases here and there.
I'd find such a service very interesting, particularly if you could produce minimally-offensive common-sense terms that still serve the appropriate function of avoiding liability.
Hmmm, I signed up for your service. At the end, it was saying there were 500+ people in line ahead of me. I could spam my social media network to get to the front of the line, for a service I had never used. That was a big turn off for me, so I went with other avenues.
The service is in private beta, we are simply not ready to welcome too many users, and I'm sorry for this. Nobody forces you to spam your social media network, you can simply wait :)
Great to see this discussion - I think that most contracts in many areas of law could be standardised. The same way that open source and creative commons licenses standardise those areas.
A few of us are working on starting a non-profit to do that - taking the first small step of making an open UK employment contract.
Anyone with a business in the UK who might be interested in using such a contract, do get in touch!
callmeed, I'll email you to see if you'd like to join forces. Website T&Cs are definitely a good one to do.
> Great to see this discussion - I think that most contracts in many areas of law could be standardised. The same way that open source and creative commons licenses standardise those areas.
In principle, this is a great idea. In practice, not so much. The problem with boilerplate contracts is that they're often unenforceable. In fact, simply having an IM conversation with someone in which you discuss and negotiate the responsibilities of each side could carry more weight in litigation than some obtuse, boilerplate contract.
I've actually been working on an NDA generator for a while now, and I'm hoping to eventually get it to a point where the variable elements can be negotiable by each side of the agreement. For example, things like duration/scope, when allowed by the respective jurisdiction, should be negotiable. Launching this into a full service (or a component of another service) that handles confidential information exchanges could be useful, too.
In the UK most construction contracts are standardised. The most common construction contract is the Joint Contracts Tribunal Standard Building Contract. Also see New Engineering Contract. Architects use the RIBA Standard Form of Appointment and there are equivalents for other construction consultants. With all these contracts you must buy a copy of the contract every time you use it.
This is one reason why many TOS and Privacy Policies appear very similar. Any site that collects information from children (which could be almost any site) must comply with the following:
"Section 312.4(b) of the Rule identifies the information that must be disclosed in your online privacy policy. Required information includes: the name, address, telephone number, and email address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively; how such personal information is or may be used; whether such personal information is disclosed to third parties, various other types of information about those third parties as set forth in the Rule, and that the parent may deny consent to this disclosure; that the operator cannot condition a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate; and that the parent can review the child’s personal information and refuse to permit the further collection or use of the child’s information. 16 C.F.R. § 312.4(b)(2).
"The Rule also requires that a link to the privacy policy be posted clearly and prominently on your home page and at each area where personal information is collected. 16 C.F.R. § 312.4(b)."
As I can see "We copy/pasted & find/replaced from another site or app" is the most popular answer. So my question is: Is it legal to copy/paste TOS & PP from other sites if these documents aren't CC Sharelike license type?
I've been wondering about this lately as our company is getting to a point where we'll need to get something in the works (we launch our beta in November). Sort of surprising to see that a lot of people copy/paste. If anything, seeing as how a lot of people on HN are software developers (primarily of SaaS apps), we should have a HN TOS that generally applies to web apps. Certain sections could be marked as needs to be edited so that company-specific language could be substituted. Seems appropriate considering the majority are going the copy/paste route. Thoughts?
Any of the current solutions to the Privacy Policy / TOS problem make you waste money and time. I've experienced this problem myself and decided to solve this hell of hassle once and for all, creating a privacy policy generator that is really compliant, with a company making money behind (and this grants quality), built to speak web designers' language (not lawyers' one), allowing to generate a fully-customized high-quality privacy policy within 3 minutes, by pressing a few buttons.
As a web designer I've always faced this problem myself, that terrible hassle of getting rid of the privacy policy. Two years ago I told myself: why the hell nobody solves this problem once and for all?
So, I started working on iubenda (http://www.iubenda.com), with the goal of giving any website owner in the world a way to generate a Privacy Policy without having to read a single legalese word.
After a whole year of thinking, another year of cust dev, a seed round and even the awesome Seedcamp experience, we are here to conquer the footer of every website in the world :P
To date we have 2k people waiting to try out the product, we're approaching 1M pageviews served by our privacy policy icon, we have 100 beta testers and we're able to generate a privacy policy both in English and Italian languages.
# Why every solution mentioned is a mess (most of the times)
If you have to spend money and time on that boring document that nobody reads (aka privacy policy), the best you can hope is that the money is actually well spent.
The tough truth? Most of the times it's not, and I'll explain why.
-
## What are Privacy Policies about?
A Privacy Policy must inform the users visiting a website about the personal data collected, the use of those data, the parties involved (first and third parties) and few other minimal things.
The problem here is that every website is slightly different, different because is using different services collecting different data. Any web designer can get it, on some websites you put Google Analytics, on some others Google Analytics and Google Adsense, sometimes you use Mailchimp to manage a mailing list, and so on.
Now, the problem is that most of the privacy policies I read don't mention these services, making the privacy policy completely useless.
-
## So, you're basically telling me that I payed $1k for my privacy policy, and IT IS USELESS?
Yeah dude, the privacy policy can't be general, it must be specific, or it's just like not having a privacy policy at all.
Of course you can fall into this hole while copy/pasting, while paying for a lawyer or while using a low-quality generator. Sometimes you may of course find a good lawyer or a good web company (like TRUSTe), but that kind of lawyer/service is usually expensive.
-
## Not every lawyer writes wrong privacy policies: here's a simple way to check yours
Try to ask your lawyer what a "cookie" actually is.
Most will start talking about chocolate biscuits.
-
## So, what?
Since the world is never white or black, the Privacy Policy World is not about having or not having a privacy policy, there's a gray area in the middle: having a privacy policy that sucks. Sad but true, this is the most common situation.
After analyzing this situation and getting to the conclusion above (privacy policies are expensive, and they even suck), I simply started working on a solution, and here I tell you what I did.
-
## Rethinking the Privacy Policy from scratch
The Privacy Policy model had to be rebuilt from scratch. The current model was a lawyer's parturition, but the only thing that lawyers are able to build is boring documents that nobody ever read. How can you accept such a state of things?
So I studied the law to extract the naked privacy requirements: personal data collected, use of those data, parties involved (first and third parties).
-
## Personal data
The personal data collected depend on the services used on the website, such as Google Analytics or Google Adsense. Other ways to collect data are the mailing list, the registration form, the comment system. All these uses are standardized, they're the same on every website.
Since the web design world is moving fast to SaaS services, outsourcing most of the personal data collection, the standardization is even increasing.
-
## Use of the data
Another requirement for the Privacy Policy is the data collection purpose, but if the world is made of websites using standardized services, the purpose corresponds to the purpose of those services, like "analytics" or "advertising".
Another point is gone.
-
## Parties involved
The website itself will always be an involved party, but what about the others?
Wait, those SaaS services have a company behind, and that company is that third party we are looking for (such as Google for Google Analytics). Bingo!
-
## We have the ingredients, now the recipe
The next step was to put this all into a simple UI, allowing to generate a Privacy Policy with all the complexity hidden behind.
The good news is that we made it.
The model required a database made of privacy policy pieces referring to the standardized services (Google Analytics, etc), with some room for customization too (e.g. Registration forms don't always ask the same information).
These pieces had to be assembled like a puzzle, and that's the reason why software exists.
-
## Who's more clever than me?
Ok, I'm kidding. The truth is that the process is simple, very simple, but quite powerful. And it generates beautiful privacy policies with nearly no effort. Completely awesome.
Ehm, I spent a whole hour writing this comment, you spent a few minutes of your valuable time to read.
Since our motto is "conquering the footer of every website in the world", I feel more or less like Brain from "Pinky and the Brain":
- What are we going to do tonight, Brain?
- The same thing we do every night, Pinky... Try and take over the world!
If you're interested in solving once and for all that hell of hassle of writing a privacy policy (w/ TOS coming soon), be sure to try out our product:
It looks good, but wouldn't it repel potential customers? Might be more effective to obfuscate all the data collection stuff. (Sorry, I don't like it myself, just wondering).
Privacy is about making people confident, about making people trust you. If people feel safe, they will share anything, and a clear privacy policy makes people feel safer.
TRUSTe reported several tests on this side, even Facebook had a huge benefit from changing the "privacy policy" policy to something more clear.
Just to tell something more on this side, we are working with http://dribbble.com/jonnotie to make our privacy policies not only useful, but even beautiful :)
Stay tuned :P
I would caution that entrepreneurs don't get overconfident about their Terms of Service. In many cases TOS are not really binding, especially if visitors never have to explicitly agree to them when using a site. Many sites blithely copy a TOS and then believe that their copyrights are safe but when it comes down to it, your legal success is a matter of your ability to pay to defend yourself.
I've paid once and then just copied/pasted/modified ever since.
There should be a corresponding survey for where lawyers got their TOS/Privacy page text from. In my experience there are only 3 or 4 boilerplate pages and then some light customization (which I strongly suspect is done largely by interns and secretaries). That'll be a few hundred dollars, thank you.
For one of my projects, we took the TOS from a firm that was in the same industry with a similar product and heavily modified it to our needs... removed a lot that didn't apply to our situation and added a few things in the appropriate places. We judged appropriateness based on how the document was initially arranged.
I think our incorporation, terms of service, and privacy policy cost us two or three grand in total. Money well spent. I sleep better at night not worrying that some thrice copied faulty ToS document, written for another jurisdiction, isn't a sleeping problem.
I recently went through this process and paid a law firm to do this. I saved a fair bit of cost by writing the terms and privacy policy myself first (based on other examples around on the web) and then getting them to adjust it rather than start from scratch.
I've considered offering this service via my law firm. I'm curious what people would pay for generated ToS/Privacy Policies derived from a Q&A interface. My gut feeling is that the price should be under $250.
I wish we didn't have to include a TOS and could write an easy to read, open list of rules and how we use user data but for legal reasons this becomes rather hard.
One more anecdote: When my service went live, I put a free t-shirt offer deep in the TOS. Only had 1 person ever try to redeem the offer.