Legal Essentials: Terms, Privacy, Cookies
Generate the legal documents every website needs: terms of service, privacy policy, cookie policy, and acceptable use policy — tailored to your specific product and jurisdiction.
Why legal documents matter and what you actually need
Every website that collects user data — even just an email address — needs legal documentation. This is not optional: GDPR (Europe), CCPA (California), and similar laws worldwide impose significant fines for non-compliance. Beyond legal requirement, terms and privacy policies protect your business from liability and set clear expectations with users. The good news: for most early-stage products, you need four documents. Terms of Service (or Terms of Use) governs the relationship between you and your users — what they can do, what you are liable for, how disputes are resolved. Privacy Policy explains what personal data you collect, why, how you store it, and users' rights regarding their data. Cookie Policy details what cookies and tracking technologies your site uses and lets users consent or opt out. Acceptable Use Policy defines what users are not allowed to do on your platform. Ask Claude Code: Create a new project folder called legal-docs. Create a config file called legal-config.json with fields for: company name, website URL, company address, contact email, product description in one sentence, data collected (list all personal data fields), third-party services used (analytics, payment, email), hosting country, and target jurisdictions (UK, EU, US, or a combination). Fill it in with your business details. This config file drives the document generation — every legal document will be customised based on these specifics rather than being a generic template.
Generating a Terms of Service
Terms of Service protect your business by defining the rules of engagement. Ask Claude Code: Using the legal-config.json, generate a comprehensive Terms of Service document. Save it as terms-of-service.md. The document must include these sections: Agreement to Terms (user agrees by using the service), Description of Service (what your product does), User Accounts (registration requirements, account security, termination), Acceptable Use (what users can and cannot do), Intellectual Property (who owns what — your product's IP and user-generated content), Payment Terms (if applicable — billing, refunds, cancellation), Limitation of Liability (cap your liability, disclaim warranties where legally permissible), Indemnification (user agrees to hold you harmless for their actions), Termination (when and how accounts can be terminated), Dispute Resolution (governing law, jurisdiction, arbitration if applicable), Changes to Terms (how you will notify users of updates), and Contact Information. Each section should be written in clear, readable English — not dense legalese. Use short paragraphs and plain language. Number each section for easy reference. Ask Claude Code: Add jurisdiction-specific clauses. For UK and EU users, include GDPR-compliant data processing terms and the right to cancel within 14 days for paid services (Consumer Contracts Regulations). For US users, include a DMCA notice procedure if your platform hosts user content. Include a severability clause so that if one section is found unenforceable, the rest still stands. Important disclaimer: AI-generated legal documents are a strong starting point but should be reviewed by a qualified lawyer before launch, especially if you handle sensitive data, process payments, or operate in regulated industries.
Creating a GDPR-compliant Privacy Policy
The Privacy Policy is the most legally sensitive document because data protection laws have specific requirements about what must be included. Ask Claude Code: Generate a GDPR-compliant Privacy Policy based on legal-config.json. Save as privacy-policy.md. The document must cover: Identity and Contact Details (who you are and how to reach you), Data Controller information, What Data You Collect (enumerate every category: identity data, contact data, technical data, usage data, marketing data, payment data), How You Collect It (directly from user, automatically via cookies, from third parties), Legal Basis for Processing (consent, contract performance, legitimate interest — GDPR requires you to specify which basis applies to each type of processing), How You Use the Data (specific purposes like providing the service, improving the product, sending marketing, preventing fraud), Who You Share Data With (list every third-party service: Stripe for payments, Resend for email, Vercel for hosting, PostHog for analytics), International Transfers (if data crosses borders, explain safeguards), Data Retention (how long you keep each type of data and why), Your Rights (access, rectification, erasure, restriction, portability, objection — and how to exercise each right), and Cookie Policy (or reference to the separate cookie policy). Ask Claude Code: For each third-party service in the config, add a specific disclosure: what data is shared with them, why, and a link to their privacy policy. For example: We share your email address with Resend (https://resend.com/privacy) to send transactional emails such as account confirmations and password resets. This level of specificity is what regulators expect.
Cookie consent and policy
Cookies track users across pages and sessions. GDPR and the ePrivacy Directive require informed consent before setting non-essential cookies. Ask Claude Code: Create a Cookie Policy document at cookie-policy.md. Categorise all cookies your site uses into four groups: Strictly Necessary (session cookies, authentication — these do not need consent), Functional (language preference, theme choice — improve experience), Analytics (PostHog, Plausible, Google Analytics — track usage patterns), and Marketing (ad tracking, social media pixels — targeted advertising). For each cookie, document the cookie name, provider, purpose, type (session or persistent), and expiration time. Ask Claude Code: Build a cookie consent banner component at src/components/CookieBanner.tsx. It should appear at the bottom of the page on first visit with a brief message explaining cookies, and offer three buttons: Accept All, Reject Non-Essential, and Customise. The Customise option opens a modal showing the four cookie categories with toggles — Strictly Necessary is always on and cannot be disabled. Save the user's preferences in a cookie (ironically, a consent cookie is strictly necessary). Only load analytics and marketing scripts after consent is granted. Ask Claude Code: Create a utility at src/lib/cookies.ts that checks the consent cookie before loading any tracking scripts. Export a function hasConsent(category) that returns true or false. Wrap your analytics initialisation with: if (hasConsent('analytics')) { loadPostHog(); }. This ensures legal compliance — no tracking fires until the user has explicitly consented. Create a link in the footer to manage cookie preferences that reopens the consent modal so users can change their choices at any time. Test by clearing cookies, visiting the site, checking that no analytics calls fire before consent, accepting analytics, and verifying tracking starts.
Acceptable Use Policy and content moderation
If users can create content, post comments, or interact on your platform, you need rules about what is allowed. Ask Claude Code: Generate an Acceptable Use Policy at acceptable-use-policy.md. Cover: prohibited content (illegal material, harassment, spam, malware, intellectual property infringement), prohibited behaviour (attempting to breach security, scraping, abusing APIs, creating multiple accounts to circumvent limits), consequences of violations (warning, suspension, termination — define a graduated enforcement approach), reporting mechanism (how users report violations, your response timeline commitment), and appeals process (how users can contest an enforcement action). Write it in clear, direct language. Instead of legalese like Users shall not engage in conduct that may be deemed harmful, write: Do not harass, bully, or threaten other users. Specific language is easier to enforce and harder to argue against. Ask Claude Code: Create a content moderation workflow document at moderation-workflow.md. Define the process for handling reported content: report received and logged, initial review within 24 hours, decision (no action, warning, content removal, account suspension, account termination), notification to both reporter and reported user, and appeal window of 7 days. Include template response emails for each outcome. For platforms that handle user-generated content at scale, ask Claude Code: Create a simple content moderation API endpoint that checks text against a list of prohibited keywords and patterns. Flag content for human review rather than auto-removing it — false positives damage trust. Log all moderation decisions for accountability. This system keeps your platform safe while treating users fairly.
Deploying legal pages on your site
Legal documents need to be accessible, linkable, and versioned. Ask Claude Code: Convert all four legal documents from markdown to Next.js pages. Create pages at /legal/terms, /legal/privacy, /legal/cookies, and /legal/acceptable-use. Each page should have: a clean reading layout with comfortable line length (max 65 characters), a table of contents sidebar generated from the headings, a last updated date at the top, a print button for users who want a physical copy, and a version number. Use the same typography and layout as the main site but with a simpler design that prioritises readability. Add links to all legal pages in the site footer — this is standard practice and makes them discoverable. The registration form should include a checkbox: I agree to the Terms of Service and Privacy Policy with links to both documents. This checkbox must be unchecked by default (GDPR requirement: pre-ticked boxes do not constitute valid consent). Ask Claude Code: Add a versioning system. Create a legal-versions.json file that tracks the version number, effective date, and a summary of changes for each document. When a document is updated, increment the version and add a changelog entry. Add a Changes to this document section at the end of each page that lists previous versions. For significant changes to the Terms of Service or Privacy Policy, you must notify existing users — typically via email. Create an email template for legal update notifications that summarises the changes, links to the full document, and states when the new version takes effect (typically 30 days after notification). Ask Claude Code: Create a final legal compliance checklist for launch. Verify: all four documents are published and linked from the footer, cookie consent works correctly, registration requires terms acceptance, privacy policy lists all third-party services, and data retention periods are defined and reasonable.
Business Compliance Basics
This guide is hands-on and practical. The full curriculum covers the conceptual foundations in depth with structured lessons and quizzes.
Go to lesson