Privacy Policies, Terms of Service & EULAs – Oh My!

If you intend to release your game on an app store, provide content to users, or collect data from users on your site, you’re going to run into the need for at least two of the three policies above, if not all three. Do you know what they do or how they differ? If so, then enjoy this picture of a piece of cake.


piece of cake


Get it? Because setting up your online presence is a piece of cake! Ha. Ha. Yeah—I love bad puns. For the record, that cake was ridiculously delicious, evidenced by the slightly blurred image, as I was practically drooling in anticipation as I took the picture.


For those who don’t know the difference, trust me, the cake-link-picture was not a lie. I will explain the differences between the three policies, as well as some issues to note for privacy policies,  specifically with regards to California (yeah, we’re THAT state).


Privacy policies take up a bit of reading, but the later sections on Terms of Service and EULAs are pretty short in this article.


Privacy Policies


Fun Fact: The reason anyone is required (in the U.S., anyway) to have a privacy policy in the first place is because of a law passed by California.


That’s right, it’s not a federal requirement, it’s one state’s requirement that if you collect any data from a California user, you must post your privacy practices in a policy that is readily accessible to the user. But, since there’s no cost-effective way to only have a privacy policy available to just California users in an online world, the law effectively works as a national (and probably world-wide) requirement to post a privacy policy. California has since added a few more requirements with regard to do-not-track policies and consumer rights notices, but those are nitty gritty details.


Now, the reading to follow may be a bit dry because it has legislation in it, but if you’re serious about publishing your game or building a website that will in any way collect user data, this stuff is, unfortunately, something you have to know. To ease the boredom a bit, I’ve underlined what I believe to be the pertinent parts of the privacy policy legislation so you can easily understand what is expected of you.


What Is a Privacy Policy?


A privacy policy, unlike terms of service or EULAs, is not a contract. It’s a statement of policy. And while it’s not a contract between you and the user, it is still a binding promise on you, the service provider. That’s why it’s generally a good rule of thumb to meet both the bare minimum requirements set by California’s law (verbally said as Cal OPPA, because COPPA was already taken, as that’s the FTC’s requirements for privacy & kids), as well as only make promises regarding privacy that you’re capable of keeping.


The reason for this is because you’ll be held accountable for whatever you state in your privacy policy.


Thus, if you state in your privacy policy that you don’t share personally identifiable information (PII) with ANY 3rd parties, you should really mean that. This includes mass emailing providers, 3rd party extensions such as Facebook/Pinterest/Etc., Google Analytics, etc. Statements of no sharing with 3rd parties is taken literally such that you are expected to literally not share user information with anyone—because if you do, then you’re in violation of your own privacy policy, and someone could come after you for it (generally just government officials, I believe, but international laws may be different with regard to who can come after you for a violation like this).


Bare Minimum Information to Post in a Privacy Policy


This is a copy/paste from the law itself, and it is merely for reference of what MUST be included in any given privacy policy. Note that if your target audience is children, or if you have a special type of business model, it would be in your best interest to discuss your issues with a lawyer to make sure you are as transparent as you intend/want to be, and disclose the proper information and contact information regarding the use of data on your site.




(a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet [I provide a link to what constitutes PII below] about individual consumers residing in California [see what I mean?] who use or visit its commercial Web site or online service shall conspicuously [make it obvious and easily accessible] post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. [The FTC has recommendations for transparency, starting on pg 14 for app and mobile developers in particular, which wouldn’t hurt you to look over and see how you can be more transparent in your practices to your users.]


[Note that you have a grace period to get your stuff together, as stated below]:

An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.


[Here’s what you have to do as a bare minimum]:


(b) The privacy policy required by subdivision (a) shall do all of the following:


(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or

entities with whom the operator may share that personally identifiable information.


[“Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. It includes information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

Examples of data elements that can identify an individual include name, fingerprints or other biometric (including genetic) data, email address, telephone number or social security number.] 


(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.


(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.


[So when you get an email about Facebook or Ebay changing their privacy policies, or see websites have an annoying banner at the top of their site proclaiming they’ve changed their privacy policies, this is why. It’s to protect your backside in the event you change your policies and someone tries to claim that they had no notice, and thus you’re in violation of the policy requirement].


(4) Identify its effective date.


[E.g. whenever you update your policy, state that day’s date. That way people have another way of knowing that it’s the most recent change, or if there WAS a recent change. It doesn’t matter if you’ve kept the same policy for 10 years, use that date of 10 years ago.]


(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.


[DNT signals were a good idea to begin with, but since websites aren’t required to honor DNT signals, it is, in my opinion, the equivalent to telling strangers on the street, ‘don’t look at me, please.’ As such, the law just requires that you state whether or not you honor DNT signals. If you do, be sure you continue to honor it. If you don’t, then that’s generally it, and the user is assumed to be informed about that if it’s in your policy.]


(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.


[Key words, here, are ‘other parties’. This means you can’t say ‘I don’t know what they do, so I’m not responsible for what 3rd parties do or don’t do on my website.]


(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice. [Please explain to me why this wasn’t #6.]



That’s it. That is the bare minimum of information you have to explain in your policy, in whatever language you deem reasonable or in line with the tone of your website.


Risks With Keeping Too Much Data


Something that often happens with startups is that you may amass a lot of different kinds of data which you hope to put to use at some later point in your business development. The problem with this is that even if it’s covered in the privacy policy, it’s still a liability/risk to you to host that information, because it could get hacked and leaked. Thus, if you trim down the information you keep in storage, the less liability you might have to your consumers, because you don’t have that extra data lying around.


Let’s try a metaphor. Say the data you collect are like first edition books loaned to you by your users. They’re valuable items, and for the most part you store them in your library/office in your home. You have easy access to them, and pretty good protection. However, some of the 1st editions you don’t need right now, so you store them in a shed outside. If there’s a fire or a break in and that destroys the house library as well as the shed, you’re liable to your users for both collections, whereas if you got rid of the shed books, you wouldn’t be liable to (having to pay or deal with) users for those books. Basically you’re taking on extra risk you don’t need to by storing information you’re not using—take a hard look at your practices and see if you really need to keep that extra weight and whether the potential benefit outweighs the risk of loss.


COPPA – The Kids One


If your target audience online are kids under the age of 13, you absolutely will have additional requirements in your privacy policy. If your website is just a general website, like anything that doesn’t have an age gate (e.g. are you 18/21?), you may also need to address how you deal with data collected from children under 13, when you realize you’ve done so.


Check out the government’s FAQ about what’s required—it goes by types of data collected and what you have to do about it.


Here’s the site to check out for general-audience websites—it goes over when/how you need to delete minor’s data.


CA’s New Eraser Rule – Effective January 1, 2015  (and the marketing restrictions)


If you allow your under 18 users (not just 13) to post comments, pictures, etc. on your site, you’ll need to allow them the option to delete all of their content at their request. It’s basically ‘the right to be forgotten.’


Bloomberg states: “On January 1, 2015, California’s minor “eraser button” law will go into effect.  The law (California S.B. 568) will require the operator of a website, online service or application, or mobile application directed to minors under 18 – or an operator that has actual knowledge that a minor is using its service or application – to permit a minor who is a registered user of the service to remove or, at the operator’s discretion, request and obtain removal, of content or information posted on the service or application by the user. The law also requires the operators to notify registered users who are minors that such removal is possible and provide clear instructions for how to accomplish it.”


The issue many see with the law is the ability of others to share images and comments, which can then go viral, and how the website is supposed to deal with that—just because it’s deleted from that website doesn’t mean it’s actually erased. Protect yourself—talk to a lawyer about how to deal with this, if it’s an issue for you.


There’s also a marketing restriction attached to the bill in that if you know you have under 18 (again, not just 13) users on your site, you’re restricted from marketing products or services on your site that are only available to those 18 or over, such as drugs, vandalism, fireworks, etc. A privacy blog states this:


“The statute lists 19 categories of prohibited content covered by the law’s marketing restrictions, including, firearms, alcohol, tobacco, drug paraphernalia, vandalism tools and fireworks.  Notably, the law does not require an operator to collect or retain the ages of users, and provides operators with a safe harbor for “reasonable actions in good faith” designed to avoid violations of the marketing restrictions.”




Terms of Service


What are Terms of Service?


Terms of service (TOS) is a binding contract between you and the user with regard to the user’s use of your site/services. Where the privacy policy is a limitation on your behavior as the service provider, the TOS is a limitation on the user’s behavior when utilizing your services. Terms of Service and Terms of Use are generally the same thing.


A TOS is your arsenal to limit what users can and cannot do. This allows you to kick people off your site or service, protect your good users from abusers, and more. It also allows you to limit what liability you have to your users, which could potentially limit the kinds of situations in which you’re liable to the user, where they can sue you, and how they can sue you (e.g. arbitration vs court or class action).


There is no requirement to have a TOS, but it sure as hell is in your best interest to get one tailored to your needs. Copy and pasting only goes so far if the company you’re copying from doesn’t offer the exact same services as you, or doesn’t have the same requirements of their users as you would like. As such, it would be a great idea to make sure that this contract is just as tailored as any development or employment agreement you would have elsewhere in your business.


End User License Agreements (EULA)


A company will typically have a EULA when you’re giving the user a license to use or download a copy of the software, such as what Microsoft does with Office or Blizzard does with World of Warcraft, Diablo, and StarCraft.


If you’ve giving the user a copy of your software, you don’t want them to be able to copy or use it willy-nilly—you want to control and limit what they can legally do with the copy you’re giving them, which would be a license. However, you’ll still likely want a TOS IN ADDITION TO A EULA if you’re offering that kind of service. This is because the EULA typically applies to the use of the copied software, whereas the TOS applies far more generally to use of everything with regard to your services or products.  


Note that if you’re offering Software as a Service (SaaS), a EULA is not generally what you want to use, because generally you’ll be offering access to the software through a terminal, rather than giving them a copy. As such, a EULA isn’t generally appropriate for SaaS, but a TOS would definitely be appropriate, because that would govern the user’s acceptable uses of the software.



For educational purposes only, this is not legal advice, and I am not your attorney.