Do I Need a Terms of Service?
If your product has users, you need a Terms of Service (“TOS”). For founders, it is tempting to treat this document as something to handle after launch, after traction, after the first funding round, or with a ChatGPT output. That instinct is understandable, and it is also costly. A well-drafted TOS is a foundational legal document.
What a Terms of Service Actually Does
A Terms of Service is a binding contract between your company and the people who use your product. It defines the rules of the relationship: who can use the service, on what terms, and what happens when something goes wrong. Without one, you are operating without the legal infrastructure to protect your intellectual property, limit your liability, establish a dispute resolution mechanism, or remove bad actors from your platform.
A Terms of Service can include disclaimers and limitations of liability that help protect the startup from potential legal action. For example, if a user suffers losses or damages as a result of using the service, the agreement can limit the company's liability. It also gives you contractual grounds to address user-generated content, set acceptable use standards, and define what happens when those standards are violated. None of those protections exist if you never established them in writing.
The Legal Landscape
Unlike a privacy policy, no single federal statute universally mandates a Terms of Service. The obligation emerges from many overlapping sources. Some come from traditional common law and others from consumer protection statutes. For example, The Restore Online Shoppers' Confidence Act (“ROSCA”) applies to sellers of goods or services featuring a negative option, including automatic renewals, continuity plans, and free-to-paid conversions. ROSCA requires those sellers to clearly disclose all material terms upfront, obtain the consumer's consent before charging, and provide a straightforward way to cancel. Violations of ROSCA are subject to civil penalties of up to $53,088 per violation.
What Happens Without One: Amazon’s $2.5 Billion Dollar Mistake
In September 2025, the Federal Trade Commission (“FTC”) secured what it described as a landmark settlement against Amazon, Inc. (“Amazon”). FTC v. Amazon.com, Inc., No. 2:23-cv-00932-JHC (W.D. Wash. 2025). The FTC alleged that Amazon enrolled millions of consumers in Prime subscriptions without their consent and knowingly made it difficult for consumers to cancel, requiring Amazon to pay a $1 billion civil penalty, provide $1.5 billion in refunds to consumers harmed by the deceptive Prime enrollment practices, and cease unlawful enrollment and cancellation practices Federal Trade Commission. Internal Amazon documents introduced in the proceedings revealed that executives had been aware of the problem for years. A compliant product requires, at minimum, a robust TOS that must clearly outline subscription terms, secure affirmative consent, and offer an easy cancellation process. These provisions are what distinguish a legitimate product from the type of conduct that has historically resulted in FTC enforcement actions.
What a Terms of Service Must Cover
Your Terms of Service must describe the relationship between your company and your users. For example, they must identify who is permitted to use your product and any eligibility restrictions, describe your intellectual property rights and what users may or may not do with your content, outline your dispute resolution process, including any arbitration or class action waiver, and limit your liability to the extent permitted by applicable law. If your product involves subscriptions or recurring billing, you will need to include clear and conspicuous disclosures about all material terms of the subscription, including cost, billing frequency, whether the subscription auto-renews, and how to cancel, and you must provide a cancellation mechanism that is at least as simple as the sign-up process.
If you need help, reach Out to Stealth Legal
Stealth Legal is a boutique tech-focused law firm that works with startups and technology companies on contracts, compliance, and regulatory risk. Whether you are launching a new product or revisiting agreements that have not been touched since day one, our team can help you build a legal foundation that protects your business and scales with it.
If you have questions about your Terms of Service or other foundational documents, contact us at pavin@stealth.legal
This post is for informational purposes only and does not constitute legal advice. For advice specific to your situation, please consult a licensed attorney.
Do I Need a Privacy Policy?
If you are building a product that touches user data, the answer is a resounding yes. For startup founders, having a compliant privacy policy from day one is one of the most consequential legal decisions you will make, and failing to get it right early can cost far more than getting it right at the outset.
The Legal Landscape
Privacy laws in the United States operate across multiple overlapping frameworks. At the federal level, the Federal Trade Commission Act prohibits unfair or deceptive trade practices, which include making representations about your data practices that you do not follow. Sector-specific statutes impose additional obligations depending on your industry: Health Insurance Portability and Accountability Act (“HIPAA”) governs health data, Children's Online Privacy Protection Act ("COPPA") applies to products directed at children under 13, and Family Educational Rights and Privacy Act (“FERPA”) covers student education records.
Despite the absence of a comprehensive privacy policy at the federal level, the legal landscape has expanded dramatically at the state level. As of 2026, 20 states have enacted comprehensive consumer privacy laws. The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), remains the most comprehensive, and it is the only state law that applies equally to consumers, employees, and business-to-business contacts. States including Colorado, Virginia, Texas, Oregon, Minnesota, and New Jersey have each enacted their own frameworks, each with distinct applicability thresholds, consumer rights provisions, and enforcement mechanisms.
In 2026, where nearly every company has an online presence, there is no longer a meaningful distinction between companies that are subject to privacy laws and companies that are not. In practice, nearly every company is subject to multiple privacy frameworks simultaneously. A privacy policy is the primary mechanism through which you satisfy the disclosure obligations those frameworks impose.
What Happens When Your Privacy Policy Doesn’t Match Your Practice One: The BetterHelp Case
In March 2023, the Federal Trade Commission (“FTC”) took action against BetterHelp, Inc. (“Betterhelp”) an online mental health counseling platform. In re BetterHelp, Inc., FTC Docket No. C-4796 (2023). The FTC charged that BetterHelp had shared users' sensitive health information, including email addresses, IP addresses, and answers to mental health intake questionnaires, with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes. The company had explicitly promised users, at multiple points in its sign-up process, that their personal health information would stay private and would not be disclosed for advertising purposes. The FTC found those representations to be deceptive under Section 5 of the FTC Act. The resulting settlement required BetterHelp to pay $7.8 million in consumer refunds and banned the company from sharing consumer health data for advertising purposes going forward. See FTC BetterHelp Press Release.
The BetterHelp case illustrates two failure modes that are common among startups. The first is having a privacy policy that does not accurately describe actual data practices. The second is treating the privacy policy as a disclosure exercise rather than a binding commitment. A policy that says one thing while the business does another is not just non-compliant. It is worse than having no policy at all, because it transforms a regulatory omission into a deceptive trade practice.
What a Privacy Policy Should Cover
A compliant privacy policy should, at minimum, identify what categories of personal information you collect, explain the purposes for which that information is used, disclose whether you share it with third parties and under what circumstances, and describe the rights users have over their data. If you serve California residents, the CCPA and CPRA require additional specificity around data categories, consumer rights to access and deletion, and opt-out rights for the sale or sharing of personal information.
As the state privacy law landscape continues to evolve, the policy also needs to be updated when your practices change. Founders who draft a privacy policy at incorporation and never revisit it often find themselves out of compliance the moment they integrate a new tool or expand into a new market. The compliance bar is rising, and it is rising quickly.
If You Need A Privacy Policy; Reach Out to Stealth Legal
Stealth Legal is a boutique tech-focused law firm that works with startups and technology companies navigating privacy compliance, data governance, and regulatory risk. Whether you are launching a new product, revisiting existing policies, or building out a data infrastructure that needs legal review, our team can help you establish a foundation that scales with your business.
If you have questions about your privacy obligations, contact us at pavin@stealth.legal
This post is for informational purposes only and does not constitute legal advice. For advice specific to your situation, please consult a licensed attorney.
From Watergate to Deepseek: How a Political Scandal Shaped U.S. Privacy Law
From Watergate to DeepSeek: How a Political Scandal Shaped U.S. Privacy Law
In the wake of the Watergate scandal, Americans weren’t just shaken by political corruption—they were forced to confront a chilling reality: their personal information wasn’t as private as they thought. As trust in government hit an all-time low, lawmakers scrambled to restore public confidence, leading to the passage of the Privacy Act of 1974—one of the first laws in the U.S. designed to protect citizens from government overreach into their personal data. But how did a break-in at the Watergate Hotel lead to a landmark privacy law? Let’s dive into the connection.
I couldn’t help but wonder—if a break-in at the Watergate Hotel led to one of the first privacy laws in America, what kind of scandal will it take to protect our data today?
When the Watergate scandal rocked the nation in the 1970s, it wasn’t just about politics—it was about privacy. As details of illegal wiretapping, secret recordings, and government overreach came to light, Americans realized something chilling: their personal information wasn’t as private as they thought. And just like that, trust in the government crumbled faster than a bad first date. Lawmakers, desperate for a PR makeover, scrambled to restore public confidence, leading to the passage of the Privacy Act of 1974—an attempt to put some much-needed boundaries between the government and our personal data.
Fast forward to today, and our personal information is more exposed than ever. But this time, it’s not just the government we’re worried about—it’s corporations, hackers, and even that app we downloaded last week without reading the terms and conditions. With technology evolving at breakneck speed, data collection has become so sophisticated that privacy feels more like an illusion than a right. Every search, swipe, and scroll feeds into a digital footprint that someone, somewhere, is analyzing.
And then there’s DeepSeek—a technology that sounds more like a Bond villain than a data tool. It’s designed to collect and analyze vast amounts of user data, and while that might sound like the future, critics warn that it’s also a privacy nightmare. The fear? That our personal information could be accessed by foreign governments, bad actors, or that ex who just won’t let go.
So here we are, decades after Watergate, still grappling with the same question: how do we protect our privacy? If a presidential scandal was enough to spark change in the ‘70s, what will it take now? Maybe a headline-grabbing data breach. Maybe a digital-age whistleblower. Or maybe, just maybe, we start demanding better laws before the next crisis forces us to.
Because in a world where nothing is truly private, the biggest scandal might just be that we’re still waiting for change.
In the wake of the Watergate scandal, Americans weren’t just shaken by political corruption—they were forced to confront a chilling reality: their personal information wasn’t as private as they thought. As trust in government hit an all-time low, lawmakers scrambled to restore public confidence, leading to the passage of the Privacy Act of 1974—one of the first laws in the U.S. designed to protect citizens from government overreach into their personal data. But how did a break-in at the Watergate Hotel lead to a landmark privacy law? Let’s dive into the connection.
I couldn’t help but wonder—if a break-in at the Watergate Hotel led to one of the first privacy laws in America, what kind of scandal will it take to protect our data today?
When the Watergate scandal rocked the nation in the 1970s, it wasn’t just about politics—it was about privacy. As details of illegal wiretapping, secret recordings, and government overreach came to light, Americans realized something chilling: their personal information wasn’t as private as they thought. And just like that, trust in the government crumbled faster than a bad first date. Lawmakers, desperate for a PR makeover, scrambled to restore public confidence, leading to the passage of the Privacy Act of 1974—an attempt to put some much-needed boundaries between the government and our personal data.
Fast forward to today, and our personal information is more exposed than ever. But this time, it’s not just the government we’re worried about—it’s corporations, hackers, and even that app we downloaded last week without reading the terms and conditions. With technology evolving at breakneck speed, data collection has become so sophisticated that privacy feels more like an illusion than a right. Every search, swipe, and scroll feeds into a digital footprint that someone, somewhere, is analyzing.
And then there’s DeepSeek—a technology that sounds more like a Bond villain than a data tool. It’s designed to collect and analyze vast amounts of user data, and while that might sound like the future, critics warn that it’s also a privacy nightmare. The fear? That our personal information could be accessed by foreign governments, bad actors, or that ex who just won’t let go.
This situation underscores a core tension in the digital age: the allure of technological innovation versus the imperative of safeguarding privacy and national security. On one hand, we have DeepSeek's undeniable technological prowess, a testament to the rapid advancements in AI and data analytics. On the other hand, we have the very real risk of this technology being weaponized or used in ways that undermine fundamental rights and national interests.
The regulatory response to this challenge is, predictably, a muddle. The existing patchwork of state and federal laws is ill-equipped to handle the complexities of a technology like DeepSeek. We need a coherent, national framework that both protects privacy and security while fostering innovation. But achieving this delicate balance is proving to be exceedingly difficult.
So here we are, decades after Watergate, still grappling with the same question: how do we protect our privacy? If a presidential scandal was enough to spark change in the ‘70s, what will it take now? Maybe a headline-grabbing data breach. Maybe a digital-age whistleblower. Or maybe, just maybe, we start demanding better laws before the next crisis forces us to.
Because in a world where nothing is truly private, the biggest scandal might just be that we’re still waiting for change.
The Looming Shadow of DeepSeek: A Privacy and National Security Quagmire
Artificial Intelligence and Your Personal Information
The trajectory of federal privacy law in the United States is, to put it mildly, complicated. We have the familiar push and pull of technological advancement outpacing regulation, heightened public sensitivity to privacy breaches, and the persistent need for a unified national standard. But lately, a new variable has entered the equation, one that throws the existing tensions into stark relief: DeepSeek.
DeepSeek's rise has been meteoric, and its data collection practices are…extensive. This isn't just your typical app collecting anonymized usage data. We're talking about vast troves of personal information, raising legitimate concerns about potential access by the Chinese government and the specter of surveillance. This isn't just a privacy issue; it's a national security one. And, as is often the case, the two are becoming increasingly intertwined.
This situation underscores a core tension in the digital age: the allure of technological innovation versus the imperative of safeguarding privacy and national security. On one hand, we have DeepSeek's undeniable technological prowess, a testament to the rapid advancements in AI and data analytics. On the other hand, we have the very real risk of this technology being weaponized or used in ways that undermine fundamental rights and national interests.
The regulatory response to this challenge is, predictably, a muddle. The existing patchwork of state and federal laws is ill-equipped to handle the complexities of a technology like DeepSeek. We need a coherent, national framework that both protects privacy and security while fostering innovation. But achieving this delicate balance is proving to be exceedingly difficult.
This is where the expertise of a specialized tech law firm becomes indispensable. Navigating the legal and regulatory landscape surrounding DeepSeek and similar technologies requires a deep understanding of both the technology and the law. We, at Stealth Legal, are uniquely positioned to provide that guidance. We understand the technical underpinnings of these systems, and we are well-versed in the evolving legal frameworks that govern them.
If your organization is grappling with the implications of DeepSeek or other data-intensive technologies, don't go it alone. Contact Stealth Legal for a consultation. We can help you assess your risks, ensure compliance, and develop strategies for navigating this complex and rapidly changing environment. The future of privacy and security depends on it.