Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. What is an Acceptable Use Policy?
- 1.1. Terms and Conditions Agreement vs Acceptable Use Policy
- 2. FAQ: Acceptable Use Policy
- 3. Who Needs an Acceptable Use Policy?
- 4. What Are the Benefits of an Acceptable Use Policy?
- 5. How to Create an Acceptable Use Policy
- 5.1. Introduction and Scope of the Policy
- 5.2. Definitions
- 5.3. Allowed Activities
- 5.4. Prohibited Activities
- 5.5. Consequences of Breaching the Acceptable Use Policy
- 5.6. Reporting Potential or Actual Violations
- 6. How to Display an Acceptable Use Policy
- 7. How to Get Users to Agree to an Acceptable Use Policy
- 7.1. Don't Use Browsewrap
- 8. Conclusion
An Acceptable Use Policy (AUP) is a document where you let users know what is acceptable and what is not acceptable when using your service or platform, as well as what the consequences of violating your policy will be.
This article will show you the importance of this type of policy and give you tips for drafting, displaying and getting user consent for your own.
Our Terms and Conditions Generator makes it easy to create a Terms and Conditions agreement for your business. Just follow these steps:
At Step 1, select the Website option or the App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Enter the email address where you'd like the T&C delivered and click "Generate."
You'll be able to instantly access and download the Terms & Conditions agreement.
What is an Acceptable Use Policy?
An Acceptable Use Policy sets out the rules for using your site or web-based service, including prohibited conduct and the consequences for breaching the rules.
It's particularly useful for sites or services that provide a shared network. For example, most educational databases, cloud-based services, and forums have Acceptable Use Policies.
A well-drafted Acceptable Use Policy is a useful risk management tool for all businesses, regardless of their size or the nature of the service it provides. It reduces the risk of misuse of your site or service, and helps to provide a positive user experience.
While an Acceptable Use Policy is not a legal requirement, it's a best practice to have one.
A clear, well-written Acceptable Use Policy:
- Prevents people from using your site or service for illegal or harmful purposes
- Protects your site or service and other users
- Provides you with a basis to suspend or ban a user
- Provides you with a basis to defend your site or service against a legal claim resulting from the misuse of it
An Acceptable Use Policy is generally narrower than, but complementary to, a Terms and Conditions agreement.
To explain what an Acceptable Use Policy is, it's helpful to put it in the context of other agreements.
Terms and Conditions Agreement vs Acceptable Use Policy
If your business already has a Terms and Conditions agreement, or if you're in the process of creating one to sit alongside your Acceptable Use Policy, it's important to incorporate them into one another. This can mean that when a person agrees to your Terms and Conditions, they also agree to your Acceptable Use Policy.
We're going to look at this in more detail later. For now, let's look at an example from Intergage. First, here's the relevant section in its Acceptable Use Policy that references how the policy directly relates to the Terms and Conditions agreement:
And here's part of Intergage's Terms and Conditions that makes reference to the Acceptable Use Policy:
As you can see, while these agreements work together, they are separate.
While having an Acceptable Use Policy is strongly recommended, it's not a legal obligation.
FAQ: Acceptable Use Policy
Here is a list of frequently asked questions that you may find useful.
You are not legally required to have an Acceptable Use Policy. However, having one provides a number of benefits to both your business and your users.
Having an Acceptable Use Policy lets you set forth how users may use your platform or service, and what they must not do. This lets you maintain control over your business and gives you the right to terminate abusive users who violate your Policy.
Your users will also benefit by being able to easily access your rules and requirements for how they can use your platform or service.
An Acceptable Use Policy will exclusively cover the use of the platform or service.
The main clauses in an Acceptable Use Policy are as follows:
- Acceptable/allowed activities
- Prohibited activities
- Activities that require approval
- An Indemnity clause
- Penalties for violating the Policy
- How to report infringements
- Your investigation procedure for violations
- What actions you will take against violators
You can also link it to areas where people officially start to use your service, such as on an account registration form page.
Make your Acceptable Use Policy enforceable by getting users to consent to it. Get consent by using an unticked checkbox next to a statement that says something similar to "By checking this box, you confirm you have read and are agreeing to the terms of the Acceptable Use Policy."
When a user clicks the box and proceeds with your website or mobile app, you will have obtained consent and your Acceptable Use Policy will be enforceable.
Who Needs an Acceptable Use Policy?
Acceptable Use Policies are typically used by organizations that control systems such as:
- SaaS apps, mobile apps and other software
If a system is open to misuse or if it might cause harm when used carelessly or incorrectly, the owner of that system should have an Acceptable Use Policy in place.
Many organizations have an Acceptable Use Policy simply to govern the use of their website. This may be particularly appropriate where the website allows visitors to make comments or create accounts.
Sometimes an Acceptable Use Policy is in place merely as a precaution. Here's an example from Else Solicitors:
An Acceptable Use Policy is almost always in place if a company provides a shared network. For example, universities, schools, and work or social spaces with public WiFi networks. Highly malicious and illegal activities can take place over a network, and so the provider will always want to guard against this.
Acceptable Use Policies are also used by companies providing open source software, cloud computing, or telecommunications services. Such services have a lot of scope for potential misuse.
What Are the Benefits of an Acceptable Use Policy?
Implementing an Acceptable Use Policy can have many benefits for an organization. For example:
- It clearly set out the expectations for users
- Any penalties are more likely to be enforceable
- The organization can limit any legal damage caused by misuse of the service
A properly drafted Acceptable Use Policy can help your organization maintain greater control over the use of its services. Where the rules are set out clearly, they are more likely to be obeyed.
This type of agreement hit the news in 2018 when PayPal invoked its Acceptable Use Policy to close the account of game developer Acid Software, whose controversial game "Active Shooter" caused a public outcry.
Without a robust Acceptable Use Policy in place, PayPal might not have felt empowered to take this action against one of its users.
If your company doesn't have an Acceptable Use Policy, you won't be prosecuted for this reason. There's no law that says you must have one.
But you could end up in court opposite one of your users.
They may allege that you have breached your contract by suspending their account. Or you may be accusing them of damaging your company through misuse of your services.
Whether you're bringing a case or defending against one, you could be at a huge disadvantage without an adequate Acceptable Use Policy.
For example, in the case of Overy v PayPal, PayPal user Alfred Overy took the company to court. One reason for bringing the case was that PayPal had suspended his account. PayPal said that Mr. Overy had used his account in relation to gambling, something that contravened the Acceptable Use Policy.
The court sided with PayPal and decided that Mr. Overy had clearly broken the rules that he'd agreed to and that PayPal was within its right to suspend his account.
How to Create an Acceptable Use Policy
The specific content of an Acceptable Use Policy will depend on the nature and requirements of your business. But there are several standard features of most Acceptable Use Policies, including what actions you allow, what you prohibit, and what the consequences are for engaging in prohibited activities or uses.
You can decide the exact content, formatting, and tone of your Acceptable Use Policy. You should adapt it according to the needs of and risks specific to your site or the service you provide.
When writing your Acceptable Use Policy, avoid any legalese. Instead use clear, easy-to-understand language. This helps users to comply with the policy and ensures it's legally enforceable.
Let's take a close look at some of the components of an AUP.
Introduction and Scope of the Policy
The first section of your Acceptable Use Policy should set out the reasons for the agreement and what it applies to.
Here's an example from the University of Loughborough's Acceptable Use Policy. This is the introduction with the scope section highlighted:
This is a great explanation of the purpose and scope of the University of Loughborough's Acceptable Use Policy. It is clear that the policy applies to all IT services within the organization. It's written in an appropriately formal, but also friendly and accessible way.
Remember: It's important to clearly set out who your Acceptable Use Policy applies to.
Here's how GTT states in the opening paragraph of its Acceptable Use Policy that it applies to all GTT clients and other service users:
Outlining the scope of your Acceptable Use Policy helps users understand when and how the policy applies to them and their obligation to act in accordance with it.
If your Acceptable Use Policy includes complex or technical terms, it's a good idea to provide their definitions. You can do this by inserting a glossary or definitions paragraph at the start of your policy.
Alternatively, you can link to external definitions where necessary. This improves the readability of your Acceptable Use Policy and ensures your users fully understand it.
Folean, a content creation platform, includes a list of definitions in the first paragraph of its Acceptable Use Policy. The policy then refers to the four shorthand terms throughout, making it quicker and easier for users to read:
Defining any lengthy or complex terms helps to ensure your Acceptable Use Policy is clear and enforceable.
As the name suggests, Acceptable Use Policies outline the acceptable uses of your site or service. But it would be near impossible to make a comprehensive list of all the activities your site can be used for. Instead, Acceptable Use Policies often include a broad, purposive statement outlining the intended uses of the site or service.
For example, St. Clair County Community College summarizes the acceptable uses of its services in a single, brief paragraph. This paragraph also identifies the scope of the policy. It applies to faculty, staff, students, and public users:
Here's an example from Flickr that provides a good example of the type of non-legal language that you may want to use, and how they set out the acceptable behavior:
Setting out clearly what your users can do can help them to make a clear distinction between what your service allows and what it does not.
In addition to allowed activities, your Acceptable Use Policy should clearly set out and explain what constitutes prohibited conduct.
An Acceptable Use Policy should contain a list of activities that users are prohibited from engaging in while using your site or service.
The list doesn't need to be exhaustive. It should cover the general type of conduct that's not allowed on the site or service. You can tailor the list in terms of scope and detail to suit the nature of your business.
At a minimum, Acceptable Use Policies usually prohibit:
- Illegal conduct
- Harassment, abuse, or other offensive behavior
- Distribution of malware or interference with the service
- Spam or phishing emails
Let's take a look at an example of an Acceptable Use Policy from Dropbox. Dropbox's policy is primarily focused on behaviour that is not allowed, rather than behaviour that is allowed:
Dropbox has included a list of all of the types of behavior that it doesn't accept. Consider which of the above may apply to your platform and which things a user might be able to do. In particular, anything that interferes with the uptime of your service should be banned, as well as anything that could violate any laws.
IBM's Acceptable Use Policy succinctly lists seven types of prohibited conduct, including the common prohibitions listed above. It also notes that that prohibited conduct isn't limited to the items on the list:
To ensure your users clearly understand your Acceptable Use Policy, it's helpful to illustrate the type of conduct that is prohibited by providing examples.
For example, AT&T's Acceptable Use Policy prohibits spam/email/Usenet abuse. To illustrate the kind of conduct this includes, it gives several examples:
You can adapt the list of prohibited activities to suit your website or the service you provide.
For example, in addition to generally prohibited activities, The European Lung Foundation's Acceptable Use Policy also includes prohibited conduct in relation to contributions to its interactive services:
Regardless of the specific content of your list of prohibited behavior, it's important to write it in clear, easy-to-understand language.
Consequences of Breaching the Acceptable Use Policy
It's important that users understand the consequences of failing to comply with your Acceptable Use Policy. Clearly setting out the potential actions users can face gives you a basis to then take that action. It also helps you to justify the action should a user contest it.
Consequences may range from temporarily suspending a user's account or permanently banning them to formal legal action.
Some organizations state that they will impose a fine on users in violation of the more serious rules. Here's an example from ILance:
In its Acceptable Use Policy for its Estate Administration Service, Lloyds Bank sets out a list of the actions it may take in the event of a breach of the policy:
One of the potential consequences in the above list allows Lloyds to pursue legal action for costs on an indemnity basis. An indemnity clause is another common, stand-alone feature of many Acceptable Use Policies.
Reporting Potential or Actual Violations
It's unlikely you'll be able to monitor the conduct of every individual user of your site or service to ensure they are complying with your Acceptable Use Policy. Providing users with a way to report behavior they believe breaches your policy helps you monitor and address any issues.
For example, Telstra ends its Acceptable Use Policy with a short note on how users can report potential or actual violations via an email address:
Now that we've seen examples of some standard features of an Acceptable Use Policy, let's look at how you display and get users to agree to an Acceptable Use Policy.
How to Display an Acceptable Use Policy
There are several ways to display an Acceptable Use Policy. However you decide to do it, make sure it's clearly displayed so that your users can navigate to it easily.
If a user is viewing your site on a desktop, the Acceptable Use Policy can appear in a pop-up when they first navigate to your site or set up an account.
It's good practice to also include a link to the Acceptable Use Policy in the footer of your website, like the below example from Otava. This allows users to navigate to it quickly from any other page on your website:
For those viewing your site on a mobile app, you can make the Acceptable Use Policy accessible via your app's navigational menu with other legal agreements and important links.
For example, you could display it in a menu like this one from Fitbit:
Just make sure that it's as easy to locate as your other legal agreements are, and that users can access them at any time both before and after signing up for your website, app or other service.
How to Get Users to Agree to an Acceptable Use Policy
It's important that your users acknowledge they have read your policy, understand its contents, and agree to comply with it. There are several ways to do this.
You can use a pop-up when users first visit your site that contains your Acceptable Use Policy and a checkbox. Users will need to check the box to confirm that they have read and agree with the policy before they can navigate to your site.
Alternatively, you can include a link to your Acceptable Use Policy and a check box for their agreement at the end of an account creation form.
Using an "I Agree" checkbox is a nearly fail-proof way to obtain consent.
Here's an example of how you can do this:
Where your Acceptable Use Policy covers the use of a product, you should ask your users to agree before they make a purchase. Here's an example of how you can do this:
On a mobile device, the Acceptable Use Policy can open when someone downloads or opens your app for the first time. It can similarly include a checkbox for users to check to acknowledge they have read, understood, and agree to comply with the policy before they can navigate through to your full site or app.
Don't Use Browsewrap
A browsewrap method of obtaining agreement should be avoided where possible. Here, the user is deemed to have agreed by having used your service.
This led to a problem in the case of Specht v Netscape, where a user was held not to have been bound by terms presented in browsewrap format.
Many Acceptable Use Policies do attempt to use browsewrap methods to gain agreement. For example, Darwin Gray includes this short statement at the beginning of its Acceptable Use Policy:
You should always seek active agreement where possible.
Although you're not legally required to include an Acceptable Use Policy on your website, we strongly recommend doing so. A well-drafted policy will prevent misuse of your site or service, including nuisance behavior, interference with your system, and illegal conduct.
An Acceptable Use Policy sets out the rules for using your site or web-based service, including prohibited conduct and the consequences for breaching these rules. You can tailor the exact contents, formatting, and tone of your Acceptable Use Policy to suit the nature of your site or service.
Your Acceptable Use Policy will be unique to the context of your organization. But it could contain some of the following clauses:
- An introduction to explain the purpose of the agreement
- Definitions of key terms
- A list of acceptable activities
- A list of prohibited activities
- A list of activities permitted under certain conditions
- An indemnity clause to protect your organization from legal claims
- Details of any penalties you might impose if the agreement is breached
- A process by which users can report violations of the agreement
Make sure you take all reasonable steps to get active agreement from your users so your Acceptable Use Policy will be enforceable in a court of law if required.