Short answer: security due diligence is the primary bottleneck in enterprise SaaS deals today. The Vendor Security Alliance standardizes the security questionnaire buyers send vendors, letting you prove your security posture once in a trusted format rather than answering a custom questionnaire for every enterprise deal. As a SaaS attorney,
Short answer: the Network Advertising Initiative (NAI) is the self-regulatory body for third-party online advertising, and its Code of Conduct matters to SaaS vendors because it treats data that identifies a device or computer, not just a named person, as regulated. If your product touches third-party ads, tracking, or persistent
Short answer: app developer privacy comes down to three things. If you build apps, you need a clear privacy policy, just-in-time notices when you collect sensitive data, and privacy built into the design from the start. The FTC, state regulators, and the app stores all expect it, and getting it
Short answer: Privacy by Design means building privacy into your software from the first design decision, not bolting it on later, with the default settings set to protect the user. It started as a Canadian framework, the FTC pushes it in enforcement, and it is now baked into law as
Short answer: the CarrierIQ takeaways for software vendors come down to two things. In a vendor-plus-platform stack, the party that decides what data to collect and whether to disclose it carries the privacy responsibility. And a too-broad indemnity can put the software vendor on the hook for the platform’s mistakes.
If you run a software or SaaS company, the biggest hole in your security is probably not your code. It is your people. That is the lesson of Kevin Mitnick’s book Ghost in the Wires, and it is why I think every software founder should read it. If you have
Short answer: the FTC’s Negative Option Rule is the federal standard for how you sell subscriptions, free-to-paid trials, and auto-renewals, and the core idea is simple: you cannot treat a customer’s silence as a “yes.” The headline “Click-to-Cancel” version of that rule was struck down by a federal appeals court
Short answer: the Google Buzz FTC settlement taught SaaS vendors three lessons: set new “connect people” features to off by default, never use data for a purpose beyond what your policy disclosed, and put one person in charge of privacy. A single default setting can trigger FTC action. Google settled
Short answer: if Google can write a plain English privacy policy, so can you. Simplifying your policies is not dumbing them down. A plain English privacy policy builds customer trust, speeds up deals, satisfies the transparency expectations regulators like the FTC keep raising, and becomes something people actually read and
Short answer: the Supreme Court’s decision in City of Ontario v. Quon gives software and SaaS companies three durable employee-privacy lessons. First, write a clear technology usage policy. Second, make sure any search of employee data has a legitimate reason. Third, keep managers from rewriting the policy on the fly.
Short answer: use a contract when you need a commitment neither side can change unilaterally (caps, indemnities, service levels); use a policy when you need the freedom to change the rules as your business evolves (security practices, support hours, acceptable use). The test is whether you need to be bound
Get started with a free initial consultation—fill out the form below to connect with our experts today!