No privacy policy?
I'm amazed at how many products get posted on IH that, when I take a look, have no privacy policy, no terms of business, and do not identify the legal entity I'd be doing business with.
Now, it's clearly not a lack of effort, as most of these are visually excellent sites.
This makes me wonder two things:
-
Do some IHers not think these are important? I'm sure everyone in the EU must be aware of the need for a privacy policy, and I see several posts (from people in the EU) asking about such issues. Are there EUers who don't know? Is the feeling about these things different outside Europe (where, I appreciate, the laws are not the same, but maybe you'd like to do business with EU customers)?
-
Would you hand over your personal details, credit card number or, in the case of one product I saw posted on IH, the API keys to your Stripe account, to someone who does not identify themselves and with whom you have no contractual relationship? In which case, can I borrow your car?
My guess is a lot of the products are in such early stages that people would prefer to spend their time/money seeing if they're building something valuable instead of shoring up legal obligations. The perceived risk of loss from not having a privacy policy probably pales in comparison to the perceived risk of not making any money at all.
I was happy to find https://getterms.io/. It seemed like a common sense, balanced policy (though I'm not a lawyer).
When considering options for my site, allmy.games, I also searched around for a bit to find templates that made sense. I ended up stitching together a few different things, but leaned pretty heavily on https://automattic.com/privacy/ (wordpress parent company). Their privacy policy and terms of service are licensed under creative commons, so they welcome people taking and adapting them to their own needs. I also found the language to be clearer and less legaly-sounding than most other templates out there.
When I checked google analytics. I found about 1 out 100 people clicked on any of those pages. I don't target EU. I don't take any credit card details, but if your just validating seems like it's not going to skew your results much.
I used this site for mine, they have some free ones:
http://www.contractology.com.
I'm surprised you think someone first starting would focus on administrative details before they've provided any value!
That kind of attitude leads to aspiring "entrepreneurs" registering companies, buying business cards, meeting with lawyers and getting a fancy web site, feeling like you're doing "serious business" for several months and never actually building a product or a service.
I don't think any of that "business theater" is important at the beginning. Once you're actually generating significant revenue and hiring people, I think it's important. When you're a large company it's crucial.
To answer your second question, no I wouldn't give a stranger my Stripe API keys and I'd be somewhat hesitant about credit card details (though the bank does protect me from fraudulent charges).
I'd have zero problem with clicking a buy button that used PayPal, Stripe or Gumroad to purchase products on a site with no privacy policy or TOS and I've done it many, many times. I've refunded a few, but the vast majority of the purchases, I've been happy with. YMMV.
Sure. And I'm surprised you regard conforming with the law as an "administrative detail". Of course, I don't know where you are, so maybe these are not legal requirements in your target jurisdiction.
Takes a couple of hours to find some text, cut and paste it onto a webpage, and add a link to your footer. Hardly a big hold up to delivering business value. I wasn't suggesting one should make it the first priority, just something to think about before going live and signing up customers.
Laws and regulations are numerous and it's very likely that text you find on the internet and copy into a web page won't meet all the rules that might apply to you. It's a rabbit-hole that many people spend months on. Those who seek professional legal and accounting help at the beginning also spend more money in the process than the average person (on the planet) earns in a year.
As I mentioned in a sibling comment, most countries de-prioritize crushing fledgling business endeavors. Many exempt small entities from various regulations.
I am fortunately to be in a relatively free jurisdiction. If more tightly controlled jurisdictions such as China or the EU block my content, then I'll sacrifice those markets for now. At a given point in scale it might or might not make sense to invest in the compliance costs to operate in those areas.
I might fit into this category.
I actually have a privacy policy, but I just scraped it together from other privacy policies and templates I could find.
I am well aware that this isn't a smart long term strategy, but I believe it's more than enough for the time being. Right now, I feel like I'm under attack from all of the tasks I need to do, and making sure that my privacy policy is tight is not high on my list of priorities, especially because I don't have millions of users yet and I'm pretty sure nobody will ever read it (except for you apparently :)).
It could be the same for a lot of hackers, it's probably not a matter of stupidity or negligence, it's just a matter of priority.
I can fully understand that we not lawyers and might not have access to one. But clearly this was in your mind as a box you needed to tick, and you endeavoured to do so.
I don't wish to accuse anyone of stupidity or negligence, I just wondered if for some people this is on the list and they haven't got around to it yet, or it's just not even on the radar.
I did the same. My main reason is that I myself will never register for a site that does not have a privacy policy (maybe I'm crazy, but there you have it), and I have heard a similar sentiment from others before. I have also seen the privacy policy get some traffic since putting it up (nothing major, but enough to make me feel like putting it there wasn't a waste of my time).
What is amazing is how big and profitable sites like this can become.
A big UK exam revision service, had absolutely no name or contact details on its site, yet managed to gain 70%+ market share.
You have to put your concerns in the context of the average user:
.) Signed into google.com all the time ;)
.) Happy to give all their data to Facebook/instagram/LinkedIn
.) Attached blissfully unaware to their smartphone, Alexa and fitbit, with no awareness of potential privacy issues with these devices.
The herd simply doesn't value their privacy or take security seriously.
A few people have made the same point, and I agree entirely, most people (if you're a B2C business) don't care. (Though, they can care pretty quickly when things go wrong. And litigiously, and the law in many countries is on their side. And I don't have Google's lawyers.)
What are some good legal resources for sites looking to create a basic privacy policy/terms? Often times cost is a barrier. Someone may ask "Why spend $75 on a privacy policy when I haven't even made any money?"
I'm not disagreeing with you at all - I just personally don't know how to navigate this area when I just launched a site (not even a service accepting money).
I'm not a lawyer, and can't vouch for the legal integrity. I used iubenda.com, and their products start from free. Other products are also available. And apparently, even more will be available - see below. :)
thanks Graham, maker of iubenda.com here. Always happy to see our product suggested as we're working hard on it every single day :)
Remember me when my renewal comes around... ;)
Just go to the website of any large reputable company which is in roughly the same sort of sector as you and read their terms and conditions and privacy policies.
Then nick them and adapt for your own needs.
I'm working on solving this problem here:
www.lawvolcano.com
It's something that I always wrestled with and now I'm working to solve the problem. We will launch soon.
No I would never give up my credit card info, or my API keys to someone I don't know. No matter how awesome their product is. It's also foolish to have a website providing service to people all over the world and not have a privacy and cookie policy. They will hear from the EU soon enough when there is an incident.
I don't worry about stuff like that until I at least have something that people are showing interest in and signing up. Then I'll start with something very simple which isn't much more than a "We don't sell your info". If dealing with EU laws is too much friction for me in the beginning, then honestly, I don't want EU users until I have something well-established and generating revenue.
I tend to err on the side of caution so opted to spend the time putting together proper terms and privacy policies. That said, I accelerated the process by adapting the Github policies (which they permit!) for my needs. All in all it probably took 2-3 days to get it done. I got this idea from a fellow IHer actually a few months back responding to someone asking about resources for putting together policies.
My site, launching this week: https://www.cryptotxalert.com/
Github policies: https://github.com/github/site-policy
Hey,
What I did for https://www.botletter.com was using this service to generate a privacy policy: https://getterms.io/
I customized it a bit according to my app and that was it. It took max 2 hours of work!
Im actually holding of with marketing until I have my legal documents in check. Totally agree with you
Good observation. Personally, I think that at the minimum, some privacy policy (with your company or soon to be named company) should be present, beginning from the MVP or landing page stage. When someone is ready to pay you in exchange for services and your company is registered, get a lawyer to write a legitimate statement. It the law firm that you hire that will defend their actions.
The fine for not complying with those laws is 2% of your yearly income. Is it worth a couple of hours of your time to comply given the tiny probability of receiving such a small fine? You decide.
You're in the EU? Since May, the maximum fine is now 4% of your revenue, or €20 million, whichever is the largest. You are unlikely to get a fine that large, but I'm guessing even just €10 000 is likely to sting. Is that worth a couple of hours of your time?
I think the biggest reason is because it's tougher to handle this part of a web business. It's easy to buy a WordPress theme and find hosting, but tougher to create legal docs.
Legal stuff is hard and something that's not your "core business". For 99% of your users it does not add any value to have terms of service nor privacy policy (even though it's required by EU law), so people tend to focus on other things.
I bet this problem is something that a simple chatbot could fix, but we don't have any "de-facto" provider for it yet. Probably (hopefully?) someone will do that in near future.
Think about music industry: It was complicated and costful to go by law back in the day (find and buy CDs), so people didn't care about the law and downloaded their music illegally. At some point it was pretty socially acceptable. Now we have iTunes and Spotify, and who bothers to download music illegally anymore?
I hope someone would do the same for legal stuff.
There's a few services around for this ... a few are mentioned in other replies.
A lot of IHers are techies, not business people.
Business people, whether they work in the areas of sales, marketing, physical product development, accounting or whatever all have to work within legal and standards frameworks so are all well aware of the compliance standards they have to meet.
As @webapppro says, far too many punters simply do not care or assume everything is legal or simply do not understand the ramifications of their actions.
Your point is well made, though. Unless and until IHers embrace the business requirements of their venture,theyu will never be a true entrepreneur but just a techie who's hoping to make some sales.
Sooner or later, failure to comply with national rules, regulations and laws will get IHers into trouble with regulatory and/or tax authorities.
Another important factor is that in most countries, crushing fledgling business endeavors is a very low priority for authorities and in fact many tacitly or explicitly exempt very small operations from various regulations. The EU seems to be an outlier, and perhaps this is why Europeans seem so much less entrepreneurial than people in the US, China, etc.
This comment was deleted 2 months ago.
One of my good friends is French and recently started a blockchain-related business. I was somewhat shocked that he didn't even consider doing business as himself or creating an entity in France. Instead he spent 2 months in Hong Kong setting up a business entity and accounts. He doesn't live there or want to. It was all to escape French regulatory burdens, and surprisingly it was general business regulations, not related to blockchain.
I had no idea it was such an extreme situation especially with France's new tech initiatives, entrepreneur visas, etc.
France, like many other European countries, is essentially socialist.
No-one has ever accused socialists of understanding business! MInd you, I say that but the government of my country is nominally Conservative ( very, very roughly equivalent to the US Republicans) but you would never know it from the policies and somewhat incoherent philosophies they espouse.
I believe that most political parties across Europe, including in the UK, are more globalist than nationalistic and more in thrall to the mega-corporations than they are to their own people or even their own economic engines - i.e., small business.
Interesting to see that Hong Kong is still attractive for setting up in business. I did wonder whether the Chinese government would whittle away at the laissez-faire attitudes encouraged by the British.
I was actually born inHong Kong and lived there in the mid-eighties. I can remember there was a lot of concern at the time about what would happen after 1998.
What did happen was that I nearly lost my British nationality in the 1981 British Nationality Act. I wouldn't but I nearly wasn't British when the 1948 British Nationality Act was passed. On both occasions, some bright spark within the Civil Service realised that all the children of diplomats and Service personnel would be rendered stateless if born abroad while their parents were serving the British Government. On both occasions, the omission was rectified before the Bill was passed into law but it has always struck me as indicative of how easily forgotten servants of the Crown always are.
On a similar note, when I went to register at University, I discovered, after queuing in the British residents' queue for two hours, that my registration papers were at the foreign students' desk. Some jumped-up little clerk wanted me to join the back of that queue.
Quite apart from not wanting to queue for another two hours, I was outraged that, as a British subject whose father was still a serving soldier at that time, I should be treated as an alien.
I raised the roof. Even at the tender age of 18, I wasn't having any of that. I explained in a voice that became louder and louder and louder that I wasn't moving; that my father was a serving soldier (we were fighting the Falklands War at the time and he could have been called up for that) and that it was disgusting that I was being processed like an alien in my own country.
I brought a hall full of 2,000 people to a complete stop. Apart from me, the place was silent. Then my records were found and brought to the UK desk so I could register.
I felt I won an important victory on principle that day!
All of my products (iOS / Mac apps) sell through App store and doesn't collect any sort of data, hence no privacy policy needed in this case, I think. The payment information liability is on Apple in this case.
Didn't apple need your privacy policy as part of the review process? In my opinion it is listed for every app, see it at facebook for example: https://itunes.apple.com/de/app/facebook/id284882215?mt=8
Nope, my apps don't have it :
https://itunes.apple.com/us/app/numberer/id1407001685
Apple will approve your app even if you didnt supply privacy policy as long as they determine your app didn't collect any data from user
definitely depends though, some categories are always required to have one and that might change the outlook :)
Hi, you have a good point to which I don't have a good... :(
Maybe you have a suggestion for Hackers that based their business in country X but want to operate globally? What are the legal implications to that kind of a business?