It’s so tempting. You, a startup founder, stumble on a more established competitor’s website and find a beautifully detailed terms of service and privacy policy. You know you need policies like these, but you have no idea what you’d have to pay your lawyer to draft them. Plus, why have your lawyer go to all that trouble when someone else has already done the work? Sure, their business is a bit different from yours, but this stuff must be mostly boilerplate anyway, right?
Related: Privacy Policies
At some point, the cursor creeps toward the upper left-hand corner of the wall of text and then it happens—you’ve copy-pasted your way into a sleek new set of website policies. You feel a twinge in the pit of your stomach, wondering whether what you’re doing is OK, but you comfort yourself with the fact that you’re going to make some changes to their wording anyway since you do some things differently from them.
If this is a familiar story to you, believe me when I say I hear it all the time. Most founders will admit with some embarrassment that they did this, but add with a touch of defiance that “this stuff is mostly boilerplate anyway right” and “we tweaked it to match what we did so they’re really not the same.” Nevertheless, their business has matured and the founders are now ready to get a bespoke legal solution.
Look, I get it. Early stage founders have a million and one things to do, and website policies fall somewhere on their priority list between eating healthy and calling mom. And I don’t think that website policies should be the first priority for an early stage startup; however, copy, paste, and defer as a strategy can be even worse than having no policies at all.
For starters, website policies pretty clearly rise to the level of copyrighted material. Now, that’s not to say that their owners have an appetite to seek enforcement of their rights, but it is something to be aware of, especially if you’re copying policies from a competitor.
But the greater concern, in my mind, is that it’s very likely the terms you copy—even if you tweak them—won’t actually work the way you want them to for your business. It’s highly likely that the terms won’t accurately describe the way you operate, gather and process information, handle registration, and the like. You may try to iron out these differences on your own, but there will inevitably be language you don’t fully understand at some point, which could have significant implications for the accuracy of your policies or even the protections they provide to your company. This poses especially significant risks in more heavily regulated industries.
Even if you do pull off the customization on your own, what if the “beautifully detailed” terms you copied are actually not well drafted policies? What if your competitor ripped them from someone else who got them from some free online generator? You don’t know what you don’t know, and in this case it could lead to all sorts of problems downstream.
Finally, keep in mind that website policies are not (or at least should not be) static. The law is changing all the time (particularly privacy laws in recent years, like the GDPR, CCPA, and the VCDPA, just to name a few); website policies may need to be adjusted to be brought into compliance with these legal shifts. Even if you found the perfect privacy policy in, say, 2017, and even if you made all the right custom tweaks to it to fit your business, that policy could be woefully outdated by 2021.
Related: Does The CCPA Affect My Business?
Ultimately, I know founders aren’t going to drop everything to get a custom legal solution to the problem of website policies as soon as they incorporate. And that’s probably OK in most cases. But don’t assume the copy-paste approach represents a good solution either.