Q: What privacy laws apply to any “personal information” I receive?
A: Although the following language may seem standard, it creates a very high bar for you to meet your contractual obligations:“The Receiving Party will collect, use, store, disclose, dispose of , provide access to and otherwise handle Personal Information received, collected or accessible to the Receiving Party hereunder in accordance with all privacy laws applicable to such information.”If some of the information you receive is personal information of an EU citizen, for example, you will then be required to be compliant as per Europe’s General Data Protection Regulation (GDPR), which has famously high standards. The cost of compliance might not be an amount you had originally contemplated.As NDAs are typically signed early on in the contemplation of a business relationship to give parties the confidence they need to proceed with the transaction, this point will usually be negotiated later on in larger agreements that will supersede the NDA (such as a Master Services Agreement or MSA).
Q: Who is responsible for ensuring compliance with privacy laws?
A: There may be a positive obligation placed upon you to preserve personal information and confirm that you are compliant - it may be worthwhile to confirm that your practices are indeed compliant through your own audit. Keep an eye out for language such as the following which may create a right for the counterparty to audit your business practices:”[counterparty] or a third party authorized by it may, during normal business hours, from time to time on prior written notice, enter upon any premises of Company at which Personal Information is stored or used and audit the procedures, processes and information pertaining to Company’s compliance with this Agreement”.
Q: What is my jurisdiction, and what effect will it have on my agreement?
A: Most often, you will specify your jurisdiction or “governing law” for the purposes of dispute resolution. In many cases, the laws governing the contract will be those of the jurisdiction in which the contract has been executed. For unilateral documents (i.e. Terms of Use and Privacy Policy), this is typically the place where the business is headquartered. For example, if you founded your business in Ontario, Canada, your governing law would read similar to the following:
“All rights and obligations hereunder will be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflicts of law provisions of such jurisdictions.”
When conducting business with parties from out of province or out of the country, it is generally preferable to choose your home jurisdiction if possible. This can reduce costs and ensure that your local lawyer is qualified to give you advice on your agreement. Ultimately, this will help parties determine the outcome for procedural matters and legal issues that may arise between them.
Q: When should I use a non-EU Privacy Policy, and when should I begin using a EU-compliant Privacy Policy?
A: Every website that is accessible to a resident of the EU is, in practice, required to comply with the GDPR. It may also seem simpler to use an EU-compliant Privacy Policy from the outset if you know that your eventual plan is to expand to Europe. However, it is important to note that European law imposes a very heavy compliance burden on businesses through the General Data Protection Regulation (GDPR). Early-stage businesses may struggle to meet GDPR standards, and may be opening themselves up to greater liability in the form of fines, and other punishments for non-compliance. If you do not currently have a presence in the EU, the risk of this is minimal.
As an additional note, if your website is purely informational, and does not actually collect, handle, store, or distribute information about users, then your main concern would be to simply inform users that third-parties (e.g. Google) may be using cookies on your site, which you do not have control over.
You may wish toconsult with counsel to determine what the best course of action is for your business.
Q: What is a digital distributor and how does it affect my agreement?
A: If you are offering your services through an app hosted on a “digital distribution platform” such as the AppStore, Google Play Store, or Microsoft Store (to name a few), users will often need to agree to those platforms’ own TOUs and Privacy Policies, which may contain provisions which allow your app to access user data collected by the digital distributor.
In addition, digital distributors may mandate certain clauses be included within the privacy policies and TOUs of apps listed on their platform. These can affect the manner in which user data is collected, handled, stored and distributed.
If you are not, and do not intend to be listed on a digital distribution platform, you may wish to consult counsel to tailor the terms of your agreement to your needs.
Q: Can formatting your document increase how enforceable it is?
A: There is a case to be made for making your Terms of Use and Privacy Policy as user-friendly as possible. For one, it is harder for a user to argue that they did not know about a term of your agreement if that agreement is easy to read and navigate. Generally, a neat font, a good font size, and plenty of boldface headers can go a long way toward making the agreement reader-friendly.
One of the tools in your formatting arsenal is hyperlinks. Once you have uploaded your Privacy Policy or Terms of Use to your website, you may wish to consider including hyperlinks every time your agreement makes an internal reference (i.e. to another section of the agreement) so users can jump to that section if they want to read more about that clause. For example, think about how annoying it might be for a user to have to scroll from clause 54 to clause 2.
Also consider including hyperlinks when your agreement refers to a different agreement, such as when your Privacy Policy refers to your Terms of Use. Linking to the other agreement also makes it easier for users to access information that is pertinent to being able to understand what they’re agreeing to.