A firm handshake between two business people in front of important terms - like policies, standards, governance, and lawmakers - all arranged variously and in a variety of sizes.

Privacy & Security Policies

Regulations governing the collection and use of "personally identifying information"FN1 are popping up all over the place. Many have heard about the EU's General Data Privacy Regulation (GDPR), but fewer are aware that Colorado also passed its own data security laws in 2018.

Effective as of September 1, 2018, any business that collects personal information (as defined by the statute) on Colorado residents is required to create and implement a security policy regarding the maintenance and disposal of that information.

The law applies regardless of whether the personal information is stored digitally or physically. That is, even businesses that keep only paper receipts or other physical documents are no less required to comply with the statutory mandate to create and faithfully implement a security policy.

Furthermore, the law applies to all businesses regardless of size and type of entity - although the "reasonableness" of the security measures depends on the size and resources of a business.

Any business that collects personal information... on Colorado residents is required to create and implement a security policy regarding the maintenance and disposal of this information.

As a result, it is increasingly important for startups and small businesses to create and implement distinct privacy and security policies.

Businesses are also increasingly being required to conspicuously display certain disclaimers or notices to users of their websites or other services that may collect personal information. For example, you may have noticed the ubiquitous pop-ups on websites and other disclaimers regarding the site’s use of “cookies.”

a close-up image of the front of a black server panel with hot-swappable hard drives, the blue and green system lights indicate the system is in great shape.

As a result of the GDPR and California's new Consumer Privacy Act, businesses that collect personal information are required to respect and provide notice of the rights of individuals in certain regions with regard to the use, amendment, and removal of that individual’s information.

Some of these privacy protection laws may not apply to smaller businesses, but it is increasingly important for every business owner to understand the applicable regulations and their own businesses practices with respect to the handling and storage of any personal information, so that they can adopt and maintain privacy policies accordingly.

Pote Law Firm follows developments in the areas of data security and privacy to assist clients in understanding these regulations and in developing any required policies so as to best protect that particular business.

If you need assistance with a security or privacy policy, PLF may be able to help. Reach out, Today!

Terms of Use and Service

Many startups and small businesses also benefit from the creation of Terms of Use, Terms of Service, Terms and Conditions, or the like to govern the use of their websites, mobile applications (“apps”), or other software or services.

These “Terms” allow businesses to express to users of a site, app, software, or service the conditions under which it is provided to users, allowing users to either accept the provided terms or discontinue use.

Such Terms are governed by the laws that govern contracts generally. This benefits business owners by giving them considerable flexibility with regard to the content and scope of possible conditions.

Colorado courts, for example, have generally been willing to uphold a variety of disclaimers and limitations on liability, mandatory arbitration provisions, forum selection provisions, and choice of law provisions.

An industrious entrepreneur or business owner leaning against an office wall with a business newspaper in hand along with a tan briefcase.

The application of contract law means that businesses are required to provide conspicuous notice regarding any applicable Terms and that users must affirmatively accept those Terms.

However, the application of contract law also means that businesses are required to provide conspicuous notice to users regarding any applicable Terms. It also means that users must affirmatively accept those Terms. The clearest example of affirmative acceptance is an executed document. But in world of websites and mobile apps, acceptance has been held to have come from a variety of user actions, including simply browsing the site or using the app.

Nevertheless, it is certainly preferable to have users more explicitly acknowledge and accept any important conditions. This turns not only on well-drafted Terms, but also the structure and content of the website or application, including the layout and design. Were terms hyperlinked or presented to the user? Was the user required to accept the terms in order to use the site or app?

Answers to these and other questions will likely guide the decision on the enforceability of the terms with respect to any particular user.

The Pote Law Firm works with entrepreneurs and small business owners to help them properly consider these issues and to draft appropriate terms and conditions. If you need assistance with any terms or policies, PLF may be able to help. Reach out, Today!

FN1: Not every regulation uses the phrase "personally identifying information" but instead may employ a slight variation. Regardless of the phrase used, the statutes all provide a definition for the operative phrase and there are some important differences amongst these definitions.

Stay Informed

Subscribe below to receive a newsletter focusing on legal issues relevant to small business owners.