What’s an Acceptable Use Policy?
An Acceptable Use Policy is a legal document that forms a part of the “contract stack” of a software, SaaS, PaaS, or IaaS company. The document is typically designed to supplement the usage rights and usage parameters that are defined within the End User License Agreement (EULA), Terms of Service (ToS), or product documentation. Oftentimes the contract itself, in this case a EULA or ToS, does not prohibit certain types of behavior or certain uses in sufficient detail to put the customer or end user on notice that they are not allowed to use the service in a certain manner. What the EULA or ToS will typically do is have a prohibition on using the software or SaaS in a manner that is in violation of applicable law. The problem that arises is there are many, many use cases that are actually objectionable from an operational, moral, ethical, or reputational standpoint but are not strictly speaking, “against the law.”
Is an Acceptable Use Policy important?
An Acceptable Use Policy is very important for a software company to have for a number of reasons. The importance of an acceptable use policy is probably most heightened in the context of a PaaS, or IaaS company that is licensing infrastructure as a service or a platform as a service. Second place would be a SaaS company that is licensing SaaS products. Probably the lowest-risk use case is a company that only licenses on-prem software. That is sort of the hierarchy of importance for different types of companies vis-à-vis the utility of an Acceptable Use Policy.
What elements does a good Acceptable Use Policy incorporate?
A good Acceptable Use Policy is going to prohibit different types of use cases that are germane to the service being provided. For example, in the case of infrastructure-as-a-service the company licensing the infrastructure might wish to prohibit end users from using the infrastructure to mine cryptocurrency. In the software-as-a-service space and to a lesser extent in the on-prem software space typical prohibitions on use include things like to harass another end user on the platform, to use the service in an unanticipated way such as conducting e-mail campaigns that might not entirely illegal activities but things that are nonetheless undesirable like phishing, creating a pyramid scheme, running a multi-level marketing campaign, mirroring a website, encouraging others to violate the rights of third parties, using the platform to promote hate or messages of hate or to incite violence or terrorism or to promote an ideology that is in violation of commonly-held values and social norms. Other typical prohibitions include using the software or service to violate the security of third-party network or to again use the platform in an anticipated way such as a Red Team exercise or to conduct penetration tests on networks or to conduct speed or other benchmarking research. Other use cases include sending huge volumes of emails that might, you know, technically not be in violation of the CAN-SPAM Act or other e-mail marketing regulations but nonetheless could bring disrepute upon the service provider that is facilitating the dissemination of those e-mail marketing campaigns.
One of the most important elements of a good Acceptable Use Policy is for the SaaS or software company that is writing and promulgating the policy to reserve the right to update the policy from time to time with or without notice to the end user population because software evolves over time and new software products are invented and brought to market by the company and the use cases that they might wish to prohibit in turn can evolve over time and it’s important for the business to have the agency to update the policy essentially in real time to facilitate the seamless evolution and rollout of those products.
What elements should be omitted from a good Acceptable Use Policy?
If you read a typical Acceptable Use Policy many of them are fairly poorly drafted. The number one mistake that I am used to seeing is regurgitation of use case prohibitions that are already present within the contract or ToS itself. It is never a good drafting practice to say the same thing twice in a contract for a number of reasons and I will spare the reader the rationale behind that in this particular article.
Where does an Acceptable Use Policy typically get posted or documented?
An Acceptable Use Policy is typically posted on the website of the software company or SaaS company that drafted it. Typically an Acceptable Use Policy is a standalone document that makes up part of the software company’s “contract stack” but you will sometimes see it included within the product documentation itself and that product documentation may or may not be publicly accessible. The latter is a suboptimal practice because the Acceptable Use Policy will be within the ambit of a non-attorney or someone outside of the in-house legal department of the software or SaaS company; this creates an administrative or operational issue to have a lack of ownership and to have non-attorneys as the steward of a very important element of the contract stack of the SaaS company. Product documentation often lacks the same level of internal control and administrative rigor that a company’s contract templates enjoy.
What happens if a SaaS or on-prem software company does not have an Acceptable Use Policy?
This scenario can put a SaaS company in a tough spot. The way this scenario typically arises is the SaaS company will end up having a customer who is using the product in an objectionable way, for example they might be engaging in hate speech within the product or platform. Upon review of the “contract stack” this company might discover that they do not have grounds to terminate the customer’s license or subscription to the product. This puts the SaaS company in a really awkward spot where they’re essentially providing a tool that is being used in a morally or ethically objectionable way and they have no choice but to send a Letter of Termination to the customer but the effective date of that Letter of Termination could be a long time away.
Are there certain products or services where an Acceptable Use Policy is hugely important?
Yes, again an Acceptable Use Policy is hugely important in IaaS or PaaS space. Any time you are providing your customers infrastructure in the form of computing power or infrastructure in the form of data storage or you are providing a product or service that allows users to interface with one another such as a forum, a user community, or perhaps even a software forge as part of your tech partner program, that is where an Acceptable Use Policy can add the most value because the customer has the greatest degree of agency in terms of doing creative or non-intended use cases with your service.