Legal, Tax, and Accounting November 7, 2020

Free Legal Advice Weekend

Petar Todorovski @petartod

Hi all, a lawyer here.

My speciality is IT law (SAAS, data protection, contracts...), but I have some knowledge of other areas as well (incorporation, IP, taxes...).

Is there any legal question that you need help with? Post it here and I will respond with a solution this weekend.

  1. 3

    Thank you for this generous offer!

    Let's say I am building a new SaaS product and am trying to find my first customers. I am not sure yet if I can actually convince someone to use my product and pay for it.

    At this point, I have once spent four figures on legal texts with nobody buying my product afterwards. How could I avoid spending so much on legal texts while validating my idea?

    1. 5

      I assume you've spent the money on Terms of Service and Privacy Policy.

      While validating, documents created by a generator would do the job. Just make sure that the generator uses a template appropriate to your project (SAAS, e-commerce, blog, whatever). I believe that termly.io is the best one out there.

      Regarding the privacy policy, keep in mind that having one may not be enough for GDPR compliance. If your website/app uses cookies, you must obtain consent and keep records of it.

      1. 2

        Thank you so much for termly.io !

      2. 1

        Petar, thank you so much for taking the time to reply!

        May I ask a follow-up question?

        If a given ToS template matches my business case for about 90% with a small number of clauses not making sense or being incorrect in the context of my product, should I try to adjust the template myself (as a layman) or use it without any modifications?

        1. 3

          It is risky but and you should own the possible consequences, but it may be good enough for the validation phase. When your app starts selling, have the ToS (at least) reviewed by a lawyer.

          1. 1

            Thank you for getting back to me, Petar!

            I did not understand whether you'd recommend for me to use the not completely fitting template as-is or to try to adjust it myself.

            What would you do in my situation?

            1. 2

              Adjust the template to your business in any case. That's the minimum anyone should do.

              1. 1

                Thank you so much for your reply, Petar! You've helped me a lot. Thank you for being such an amazing individual!

  2. 2

    Hi Petar! I'm building an android/iOS app and also a blog. I want to comply with GDPR. I've read that basic tracking of visits to your websites using i.e. Google Analytics don't require consent from the end-user, but anything that goes beyond the tracking of just basic visits does require consent. Since I only want to do basic tracking for my blog, I hope I'm good there.

    For the mobile apps I want to do a more thorough tracking of different actions the user takes using Mixpanel. Is it possible to avoid asking for consent by anonymizing the tracked data? For example, generate a unique user id for every user and track that in Mixpanel, but do not track or save e-mail address, IP address, and so forth? In addition I would give the user the option to delete all of his tracking data and opt-out of the tracking from an options tab, but I'd like to avoid the consent for opting into the tracking, because the tracking is really essential to me.

    1. 5

      The short answer is - only if you anonymize the data before it reaches Mixpanel.

      You don't need consent for using anonymous data, but what you've described here seems like a pseudonymization, not anonymization.

      Anonymized data makes it impossible to re-identify the user. Pseudonymized data make it possible to re-identify the person by the unique ID and therefore requires consent under the GDPR.

      The real problem here is the fact that in order to anonymize or pseudonymize personal data, you need to collect it first. And for collecting it, you need consent. Anonymization is "further processing" of data, and the consent is required at the point of collection, which is before the processing.

      It is best to talk to Mixpanel customer support and check out at what point the data could be anonymized. You could also opt for cookie-less tracking solutions such as Fathom Analytics or Plausible Analytics, if they could work with apps.

      1. 2

        Didn't know Fathom Analytics or Plausible Analytics were things -- thank you!

        1. 2

          I’d also like to mention that there’s https://panelbear.com - which is privacy friendly and offers a generous free tier.

          It’s made and hosted in the EU too, if that’s a requirement.

          I’m the one behind it in case you have any questions :)

          1. 1

            Thank you! Looks promising, I'll consider it when I start looking into analytics!

      2. 2

        Thanks so much. Yeah, I already thought that falls under pseudonymization. GDPR really makes life hard for a new business that needs to see how their few users act in order to improve the user experience. But what can we do. I'll also look into Fathom Analytics / Plausible Analytics. I'll probably ask the user for consent, and if he declines, I might still track him in an anonymized fashion (rather than pseudonymized fashion) using a cookie-less solution.

        PS: I looked at Fathom and Plausible. They look really promising.
        Your help was very valuable.

        1. 1

          Yes, GDPR makes it unreasonably difficult for businesses that rely on analytics.
          Btw, you may also want to look at Google Consent Mode if it fits your needs https://blog.google/products/marketingplatform/360/measure-conversions-while-respecting-user-consent-choices/

          1. 2

            Just wanted to update everyone, both Fathom and Plausible founders feel like their products are unsuitable for Mobile Apps. But Plausible says that there are people who use Plausible in their mobile apps. I'll look into Google Consent Mode next. Thanks for that hint!

            1. 1

              To add some detail specific to Google Consent Mode, this quote from the Google page seems highly relevant:

              If you’re interested in getting started with Consent Mode, please reach out to your Google account team. Implementing Consent Mode requires adding a few lines of code above your global site tag or Tag Manager container. To help with this process, we have partnered closely with several Consent Management Platforms. A few are already integrated with Consent Mode and are ready to help.

              Having a Google account manager probably implies you have significant spend on ads, Analytics 360, or both.

      3. 1

        What are your thoughts on cookie-less analytics and browser fingerprinting?

        There seems to be quite a big of room for interpretation there and most GA alternatives seem to rely on this aspect for their offerings.

        1. 1

          The rules at the moment say:

          • If it collects personally identifiable information, then consent is required
          • If the fingerprints do not contain any personal data, you don't need consent.

          I agree that there is a lot of room for interpretation. I hope that the ePrivacy Regulation will resolve these issues.

      4. 1

        Couldn't you collect these kinds of usage analytics under the lawful ground of "Weighing of interests"? Instead of relying on consent. After all, it helps the business a great deal, and does not impact the user much / at all.
        What do you think?

        1. 2

          No, unfortunately, you cannot. I agree with you that businesses should be allowed to measure visits in their own yard, but authorities in the EU do not think so.
          https://cookieinformation.com/resources/blog/data-protection-authority-prohibits-websites-use-of-google-analytics

          Hopefully the new ePrivacy Regulation will change things for the better once it is passed.

          1. 2

            Ok got it, thanks for the link!
            One thing I struggle to understand: how do companies like instagram or amazon track our usage? It's not like I can sign up for their products and not give them consent for this kind of tracking.

            1. 2

              Hi Trunksome, I think that's a very interesting question. I just visited facebook and it actually asked me whether I want to consent to their cookies or "manage my preferences". Here's the screenshots of what they are writing:
              https://ibb.co/BLwLqV0
              https://ibb.co/PF4dPBL
              https://ibb.co/fdMBMcT
              https://ibb.co/phfvJ9f
              https://ibb.co/hfrrJzb
              https://ibb.co/jZXpBKC
              When I have time I will investigate this more.

            2. 1

              I don't know, to be honest. The same laws apply to them, but I don't know how they do it.

    2. 1

      To add some color to the technical/analytics side of this, you would have to generate a separate session ID for every visit, because without consent you can't remember who someone was. So, if Person A has two visits, they would appear like Person A and Person B. This is the approach that Plausible/Fathom/Simple etc. take in their web tracking; they just happen to not offer mobile SDKs.

      This robs you of a lot of the magic that Mixpanel makes possible. When all you have are sessions, it's impossible to leverage Mixpanel to look at retention, feature adoption over time, targeted communications... so what's the point of implementing it at all?

      You face a trade-off: give up a lot of analytics goodness, or ask for consent.

      1. 1

        Hi blakerson, I believe this isn't a huge problem. Either track using Google Analytics in consent mode as a basis, and additionally using Mixpanel if the user consents to cookies. So you only have detailed analytics with Mixpanel magic for a subset of your users, but that's a lot better than nothing. OR only track with Mixpanel using a separate session ID for every visit. Yeah, in that case those people who decline cookies will have no Mixpanel magic. But those people who accept cookies will support all the Mixpanel magic and Mixpanel allows assigning a session to a specific user in retrospective ("identifying" him). So if the user is active on the website and later (during the same session) accepts cookies, we can apply all the Mixpanel magic to his actions in retrospective. Should be possible in theory, no?

        EDIT: Applying in retrospective probably won't be possible, because each open of a web page, each fired event, will have a separate session ID, right? In that case we can at least set a flag that tells us whether the user accepted cookies or not and seperate usage data with accepted cookies from data without accepted cookies within Mixpanel.

  3. 1

    Hi Petar thanks for that offer and hope you can still help :)

    Do I need to incorporate if:

    • Have a website, app in the google store and Apple Store, chrome extension
    • Receive payments

    Or can I just file a TM of the app/website name and use that name and not mine everywhere

    If yes, I am based in Spain, although I am portuguese, where should I incorporate and where do I have less corp taxes and personal do avoid double taxation?

    Thanks
    Ana

  4. 1

    I'm late to the post but worth a shot. I covered it here: https://www.indiehackers.com/post/how-much-risk-am-i-putting-myself-in-by-using-designs-coming-into-the-public-domain-4794043560

    But to TL:DR; I want to use/sell some elses designs, the designs should be in public domain. Copyright holder seems to really want to hang onto the copyright. What risk am I in if I decide to just use them anyway?

  5. 1

    Hi Petar,

    I'm building a privacy-focused survey platform called BlockSurvey. I would like to get your thoughts on data protection as a tech provider. In my platform, the end-users are data controllers and the blockchain provider is the data processor. Would this make my platform GDPR compliant? Any inputs on how to communicate this through privacy policies and t&c?

    1. 1

      If I understood this well, you are the data processor and the blockchain provider is your subprocessor.
      No need to communicate anything about privacy in Terms and Conditions. Privacy practices are communicated through the privacy policy.
      Aside from the privacy policy, you need a Data Processing Agreement (DPA) between you and the data controller, and one between you and each subprocessor. DPA is the document that instructs the data processor/subprocessor in writing to process the data. You can add it as an addendum to your T&C.
      Two other things to keep in mind: 1) the GDPR applies only to your relationship with EU users unless your business is registered in the EU, and 2) many other countries have GDPR-like laws (non-EU European countries, Brazil, Argentina, Canada, Israel, Thailand, Singapore, Malaysia, South Africa, soon India and Indonesia...).

      1. 1

        Petar, thanks for sharing. This is helpful.

  6. 1

    Hi Petar! Thank you for doing this!
    I was wondering what are the legal issues surrounding displaying images of products obtained from manufacturer's websites in another site (for example a search engine or price aggregator). Do I need to negotiate a separate license with each manufacturer or does this fall under fair use?

    To make this concrete, here is an example. There are many price comparison websites (like https://www.pricerunner.se/etc) that display images of products alongside the price information. Since these sites usually display 100 000s products, I've always wondered whether or not this website has negotiated some sort of license with each manufacturer to be allowed to display their images or if they have just scraped the images and their use falls under some sort of fair use type situation since they are obviously linking back to the manufacturer.

    1. 2

      It depends on the license. If the license of the image copyright owner allows you to use it, then you are good to go.

      You can find this information in the Terms of Use of the website you want to scrape the images from.

      Price comparison websites are usually affiliates. Amazon and similar websites usually grant affiliates with a license to use the images for that purpose. After all, it is in their business interest to provide such license.

      I wouldn't rely on fair use because fair use usually requires non-profit, educational, research, or similar purposes. It is risky to use copyrighted images under the fair use rule for commercial purposes, even if you use it only to only review or compare products.

  7. 1

    Oh snap. That's a big offer you've got there.

    What's your take on @Shpigford's Twitter thread on asset vs stock sales?

    I worry that one possible takeaway is that decisions you make at the time of formation (when it's generally accepted to be footloose about many things) materially impact your personal outcome in the event that you successfully exit.

    1. 2

      Yes, that's the takeaway from the story.

      The ideal form and place of incorporation depend on your goals.

      It is acceptable to be less careful when you are just testing out the waters, but once the business starts growing and an exit is on the table, it is time to consider all the options with a lawyer or a CPA. It is easy to move to another (more favourable) jurisdiction or change the form of incorporation if needed.

      1. 1

        Thanks for the response and for the thoughts! I think this implication is really unsettling for founders.

        One thing that I take from Josh's thread is that there could be many years between incorporation and the exit, and that at least in some cases the years spent under one form of incorporation matter greatly. It's one thing to have a strategy that considers your individual goals (say, you're bootstrappy or swinging for the fences), but it seems that given a strategy there are still multiple options.

        So, supposing this community skews heavily toward bootstrapped indies that would happily call a $Xm exit a great success, is there a relatively safe 'default' choice for formation that most could roll with?

        1. 2

          I believe that one unlucky circumstance in Josh's case was that Baremetrics is incorporated in a high-tax state (California, according to a quick Google search).

          For the average indie hacker, I would say that an LLC is a good formation to start. In the US, Wyoming, New Mexico, and Delaware are good places to incorporate an LLC due to the low costs of running the company.

          Once the business gets serious:

          • If you need angel investing from US investors, change to Delaware C-Corp, or
          • If you need to sell the company like Josh, move the company to Singapore or another tax-friendly jurisdiction before selling and keep most of the hardly-earned money for you.
  8. 1

    How well do no competes stand up in court?

    We are engaging with agencies on 6 months profit split contracts, and want to ensure that they don't create an indentical product once they see how well it sells.

    Thanks for doing this!

    1. 1

      it depends on many things. It is hard to give a straightforward answer to this question.

      In general, courts uphold non-compete (NCC) clauses as long as:

      • they are enforceable under its jurisdiction
      • they are drafted properly.

      Regarding jurisdiction, most states and countries would enforce NCC. California is the most notable example of a jurisdiction that doesn't uphold them.

      If you are in the right jurisdiction, the next thing to consider is whether the NCC is:

      • clear in what it means
      • reasonable regarding the circumstances of doing business.

      When it comes to B2B NCC, the question you should also ask yourself is: Would the non-compete clause prevent the covenant from doing their trade normally?

      So, if you build SAAS products and you partner up with marketing agencies on a profit-split contract, such NCC wouldn't prevent the agency from doing their business (marketing).
      If you build websites and you partner up with a design agency that designs only websites for lawyers, an NCC preventing them from building websites for other lawyers tend to be unenforceable.

      Again, giving a straightforward answer is hard and depends on may circumstances. Talking to a lawyer from your state is a good idea in such situations.

Recommended Posts