Website Terms of Service & Privacy Policy Bundle — US 2026

The Terms of Service (also called Terms and Conditions, Terms of Use, or User Agreement) is a binding contract that visitors accept when they use your site. Its enforceability depends entirely on how acceptance is obtained: the Ninth Circuit's reasoning in Berman v. Freedom Financial Network (2022) confirmed that hidden hyperlinks and ambiguous click-flows fail to bind users. A properly drafted ToS uses a clickwrap mechanism, displays the agreement in a legible font, and presents the assent language unambiguously above the action button.

The Privacy Policy is not optional. It is a statutorily required disclosure under multiple overlapping regimes. California has required one since the California Online Privacy Protection Act of 2003, and the CCPA/CPRA layered detailed content requirements on top of it. Twenty other U.S. states now have comprehensive privacy laws on the books, and the GDPR requires a separate set of disclosures for any visitor located in the European Economic Area. A bundle is more efficient than two separate documents because the definitions, contact channels, and dispute-resolution mechanics are shared, and cross-references stay internally consistent.

This template is built for U.S. businesses operating online stores, SaaS products, mobile apps, content platforms, marketplaces, lead-generation sites, and brochureware that collects email addresses. It is not designed for HIPAA-covered entities, federally regulated financial institutions, or operators of services directed primarily at children under 13, each of which requires a specialized treatment that goes beyond the standard bundle. Visit our business legal templates library to see related instruments.

A U.S. website operating commercially today sits at the intersection of at least four distinct legal regimes, and a serious bundle has to speak to each one in the same document. The California Consumer Privacy Act of 2018, amended by the California Privacy Rights Act of 2020, governs any for-profit business that meets one of the statutory thresholds: gross annual revenue above $25 million, processing the personal information of 100,000 or more California consumers or households, or deriving 50 percent or more of annual revenue from selling or sharing personal information. Even smaller operators are routinely drawn in when their advertising stack triggers the sharing threshold through pixels and cookies. The Privacy Policy must disclose the categories of personal information collected, the purposes of collection, retention periods, the categories of third parties that receive the data, and the consumer rights to know, delete, correct, opt out, and limit the use of sensitive personal information. The California Privacy Protection Agency enforces these obligations through formal rulemaking, and its 2024 enforcement advisories make clear that user interfaces presenting privacy choices must be symmetrical and free of dark patterns.

The Children's Online Privacy Protection Act of 1998, enforced by the FTC under 16 C.F.R. Part 312, applies to any operator of a website or online service directed at children under 13, or who has actual knowledge that it is collecting personal information from such children. The 2025 amendments tightened parental consent mechanics, expanded the definition of personal information to include biometric and government-issued identifiers, and shortened the data retention default. Even a general-audience site needs a COPPA carve-out paragraph that disclaims collection from minors and explains the deletion procedure if a parent reports a violation.

For European visitors, the General Data Protection Regulation imposes its own checklist: a lawful basis under Article 6, transparent information notices under Articles 13–14, the full slate of data-subject rights, an EU representative under Article 27 for non-EU controllers, and standard contractual clauses for transfers to the United States that survived the Data Privacy Framework litigation. Our drafting follows the structure laid out in the Cornell Legal Information Institute's overview of consumer-privacy statutes and incorporates the cookie-consent vocabulary required by the ePrivacy Directive for EU traffic, including granular consent categories and a clear withdrawal mechanism.

The most common trigger is launching or relaunching a commercial site, app, or SaaS product. Any platform that collects an email address, processes a payment, places an analytics cookie, or hosts user-generated content needs a published Privacy Policy and a binding Terms of Service before traffic starts. Operating without these documents exposes the business to §5 FTC enforcement for deceptive practices, statutory damages under the CCPA of up to $7,500 per intentional violation, and GDPR fines of up to 4 percent of worldwide turnover for serious infringements affecting EU visitors. The September 2025 Tractor Supply settlement, which cost the company $1.35 million for CCPA cookie-banner failures, shows that enforcement is real and increasingly granular.

The second trigger is a material change to data practices. Adding a new analytics provider, switching email marketing platforms, integrating a chatbot that processes conversations off-platform, launching a loyalty program, or onboarding a payment processor each shifts the categories of third-party recipients and requires a policy refresh. The CCPA mandates a review at least every twelve months, and the European Data Protection Board recommends the same cadence for GDPR compliance. Stale policies are themselves a violation, because they no longer accurately describe what the business actually does.

Investor due diligence is the third trigger, and it surprises many founders. Term sheets routinely require representations that the company's online terms are enforceable and that its privacy practices match its public disclosures. A mismatched policy discovered during diligence can stall a financing round or trigger an indemnification carve-out. Any founder preparing for a seed or Series A round should treat the bundle as part of the data-room hygiene, alongside the LLC operating agreement and the cap-table records. A final edge case worth flagging: businesses serving European markets through a U.S. site need this bundle even with a single EU customer per year, because the GDPR's territorial scope under Article 3(2) reaches any controller offering goods or services to data subjects in the Union, no minimum threshold required.

• The clickwrap acceptance clause is positioned at the top of the Terms and at every account-creation funnel, drafted to the standard articulated in Berman v. Freedom Financial Network (9th Cir. 2022). The hyperlink to the agreement is rendered in conspicuous text with the assent statement placed directly adjacent to the action button, which is the configuration most consistently upheld by federal courts.
• The arbitration and class-action waiver clause is calibrated to the Federal Arbitration Act (9 U.S.C. §1 et seq.) and the Discover Bank line of California cases, with a 30-day opt-out window and a small-claims-court carve-out. This combination has survived unconscionability challenges in California, New York, and the Ninth Circuit while preserving the cost benefits of arbitration. Our business contracts collection explains how the same structure works across vendor and customer agreements.
• The CCPA/CPRA disclosures are organized into the twelve categories of personal information enumerated in Cal. Civ. Code §1798.140(v), with explicit "categories sold or shared in the preceding 12 months" subsections that the California regulator has flagged as the most frequent compliance gap.
• The Do Not Sell or Share My Personal Information link language and the Limit the Use of My Sensitive Personal Information link are pre-drafted and ready to be wired to your consent-management platform. The template honors the Global Privacy Control signal, which the California Attorney General has confirmed is a legally binding opt-out request.
• The GDPR Article 13 and 14 notices for European visitors are integrated as a parallel section rather than a separate document, listing the lawful basis, retention periods, recipient categories, transfer mechanisms, and data-subject contact information. The standard contractual clauses reference is included for transfers to the U.S. processor stack.
• The COPPA compliance paragraph disclaims collection from users under 13, describes the verifiable parental consent procedure if your service does accept minor users, and sets the deletion protocol triggered by a parent's complaint to the designated privacy contact.
• The intellectual property and DMCA safe-harbor clause assigns ownership of site content to the operator, reserves a non-exclusive license for user-generated content, and includes the 17 U.S.C. §512 designated-agent notice required to maintain hosting immunity.
• The limitation of liability and indemnification stack caps damages at the amount paid in the preceding twelve months, excludes consequential damages to the extent permitted by state law, and includes the New Jersey and other consumer-law carve-outs courts have demanded in recent decisions.

California sets the high-water mark for compliance and is where most enforcement actions originate. The California Privacy Rights Act (operative since January 1, 2023) created the California Privacy Protection Agency, a dedicated regulator with rulemaking and enforcement authority. Beyond the standard disclosures, California requires recognition of Global Privacy Control signals, a "Notice of Financial Incentive" any time a loyalty program or discount is tied to data collection, and specific treatment of sensitive personal information under §1798.121. The 2024 Age-Appropriate Design Code adds privacy-by-default obligations for any service "likely to be accessed" by minors. Our template builds these into the California addendum and pre-wires the symmetrical opt-out choice mandated by Enforcement Advisory No. 2024-02.

New York does not yet have a comprehensive privacy statute, but the SHIELD Act (N.Y. Gen. Bus. Law §899-bb) requires reasonable data security measures for any business holding the private information of New York residents, and the New York Attorney General has been active in enforcing implied-contract theories against websites with deceptive terms. The template includes a New York security-program reference and a venue selection clause that aligns with the state's preference for resident-court jurisdiction in consumer disputes.

Texas enacted the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code §541.001 et seq.), effective July 1, 2024, applying to businesses processing personal data of Texas residents that fall outside the Small Business Administration size standards. The Texas attorney general has 30-day cure periods and is the exclusive enforcer, but the disclosure framework closely tracks Virginia's. Our Texas section maps the consumer rights notice and the appeal process onto the universal privacy notice.

Florida added the Florida Digital Bill of Rights (Fla. Stat. §501.71 et seq.) in 2024, which applies more narrowly than California or Texas but introduces specific rules around targeted advertising and the sale of voice or facial recognition data. The template flags the Florida-specific opt-out for adtech use cases and aligns the consumer-rights response window with the 45-day default that recurs across most state regimes, similar to how our real estate templates library handles state-by-state lease addenda.

You start by entering the legal name of your operating entity, its state of formation, and its registered address. The form then asks whether you sell products, run a SaaS subscription, host user-generated content, or operate a marketplace, because the IP, payment, and DMCA sections adapt to your model. From there, you indicate which states your site materially targets, and the template loads the corresponding state-law addenda automatically rather than asking you to read fifty statutes.

The third step covers data practices. You select the analytics tools, advertising pixels, payment processors, email platforms, and customer-support software you actually use, and the policy populates the third-party recipient categories accordingly. If you transfer data outside the United States, the form asks where, and inserts the appropriate standard contractual clauses reference. The COPPA and GDPR modules turn on or off based on whether you allow minor users and whether you have any European traffic, with the right text appearing in the right place.

Then you provide the contact channel for privacy requests, ideally a dedicated address such as privacy@yourdomain.com, plus a backup postal address. The arbitration provider, governing law, and venue are pre-set to defaults that survive in California, New York, Texas, and Delaware courts, but you can override any of them. The final step generates two synchronized files: a Terms of Service and a Privacy Policy that share definitions and cross-reference each other cleanly. You download both in Word for negotiation flexibility and in PDF for the public-facing version posted on your site.

The single most common failure is invisible acceptance. Burying the link to the Terms in a footer, using a sign-up button that does not display the assent statement, or pre-checking the "I agree" box converts a contract into a non-contract overnight. Courts called this out in Nguyen v. Barnes & Noble and again in Berman, and the FTC has flagged it as a deceptive design pattern. The fix is mechanical: place the link adjacent to the action button, use clear assent language, and never pre-check anything. The second recurring mistake is treating the Privacy Policy as boilerplate copied from a competitor. The CCPA penalizes inaccurate disclosures more than it penalizes the absence of a policy, because the inaccuracy actively misleads consumers. If the policy lists "Google Analytics" but the operator has switched to Plausible, that is a violation in itself, regardless of whether any consumer was harmed.

The third mistake is ignoring the cookie banner question. The CCPA does not literally require a banner, but it requires a Do Not Sell or Share link, recognition of the Global Privacy Control signal, and symmetrical choices. Operators who deploy GDPR-style opt-in banners only for EU traffic and nothing for California visitors are missing the regulator's actual ask. The fourth is the "perpetual draft" syndrome: writing a strong policy in year one and never updating it. Each new vendor in the stack, each new product feature, each new state law adds a layer that must be reflected. The annual review the CCPA requires is the floor, not the ceiling. The fifth, mostly seen in startups, is mismatching the corporate entity. The Terms are signed in the name of the operating LLC or corporation, not the founder personally; getting that wrong sacrifices the liability shield documented in the LLC operating agreement and the articles of incorporation.