Skip to content

reference.md

Latest commit

 

History

History
340 lines (245 loc) · 16.1 KB

reference.md

File metadata and controls

340 lines (245 loc) · 16.1 KB

Legal Disclaimers — Reference

THIS REFERENCE DOES NOT PROVIDE LEGAL ADVICE. It documents general patterns drawn from public legal frameworks. Always consult a qualified solicitor in the relevant jurisdiction.

Supplementary reference material for the legal-disclaimers skill. Covers the main jurisdictions, the industry-specific rules, and the standard disclaimer types in detail.

Table of Contents

1. Jurisdiction Matrix

Australia

Primary frameworks:

  • Privacy Act 1988 (Cth) + Australian Privacy Principles (APPs) — applies to organisations with annual turnover ≥ AUD $3M (with exceptions: health service providers, credit reporting bodies, organisations trading in personal information are covered regardless of turnover)
  • Australian Consumer Law (ACL) — Schedule 2 of the Competition and Consumer Act 2010
  • Spam Act 2003 — commercial electronic messaging
  • Do Not Call Register Act 2006 — telemarketing
  • Corporations Act 2001 — financial services
  • Therapeutic Goods Act 1989 + TGA Advertising Code — therapeutic goods

Privacy Act key obligations (when it applies):

  • Have a privacy policy that addresses each APP
  • APP 1: Open and transparent management of personal information
  • APP 3: Collect only what's necessary; collect lawfully and fairly
  • APP 5: Notify individuals at or before collection
  • APP 6: Use information only for the primary purpose (or a related secondary purpose with consent)
  • APP 8: Cross-border disclosure — be accountable for what overseas recipients do with the data
  • APP 11: Take reasonable steps to protect personal information
  • APP 12: Provide access to personal information on request
  • APP 13: Correct inaccurate information

Notifiable Data Breaches scheme: Must notify the OAIC and affected individuals if a data breach is likely to cause serious harm.

Australian Consumer Law key obligations:

  • Consumer guarantees (statutory rights that can't be waived) for goods and services
  • Refund / replacement rights for goods that are not of acceptable quality
  • "Cooling off" rights for unsolicited consumer agreements

Spam Act key obligations:

  • Consent (express or inferred) before sending commercial messages
  • Sender identification in every message
  • A functional unsubscribe mechanism

European Union

Primary frameworks:

  • GDPR (Regulation (EU) 2016/679) — applies to processing of personal data of EU residents, regardless of where the processor is based
  • ePrivacy Directive (2002/58/EC) — cookie consent rules
  • Digital Services Act (DSA) — for online platforms
  • AI Act (in force 2024) — regulates AI systems with risk-based tiers

GDPR key obligations:

  • Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
  • Data minimisation (collect only what's necessary)
  • Storage limitation (retain only as long as necessary)
  • Data subject rights: access, rectification, erasure, restriction, portability, objection, automated decision-making
  • Privacy by design and default
  • Privacy impact assessments for high-risk processing
  • Data Protection Officer (DPO) appointment in certain cases
  • 72-hour breach notification to the supervisory authority

Cookie consent (ePrivacy): Requires explicit consent for non-essential cookies (analytics, marketing). The "implied consent" by continuing to browse is no longer accepted.

United Kingdom

Primary frameworks:

  • UK GDPR (post-Brexit version of EU GDPR, very similar but separate)
  • Data Protection Act 2018 — implements UK GDPR
  • Privacy and Electronic Communications Regulations (PECR) — equivalent to ePrivacy

UK GDPR is substantially the same as EU GDPR with separate enforcement (ICO).

United States

No federal privacy law. State-by-state:

State Law
California CCPA / CPRA
Virginia VCDPA
Colorado CPA
Connecticut CTDPA
Utah UCPA
(More in progress)

CCPA/CPRA key obligations:

  • Right to know what personal information is collected
  • Right to delete
  • Right to opt-out of "sale" of personal information ("Do Not Sell My Personal Information" link)
  • Right to non-discrimination for exercising rights
  • Notice at collection

Federal:

  • FTC Act (unfair and deceptive practices)
  • COPPA (children under 13)
  • CAN-SPAM Act (commercial email)
  • FCRA (consumer credit reporting)

2. Industry-Specific Rules

Financial services (AU)

Regulator: ASIC (financial services); APRA (banking, insurance, superannuation)

Key requirements:

  • Australian Financial Services Licence (AFSL) required to provide financial advice
  • Financial Services Guide (FSG) — must be provided to clients before financial services are given
  • General advice warning — when providing general advice (advice that doesn't take into account the client's personal circumstances), must include a warning
  • Statement of Advice (SoA) — for personal advice
  • Best interests duty — financial advisers must act in the best interests of clients

Standard general advice warning:

The information provided is general advice only and has been prepared without taking into account your personal objectives, financial situation, or needs. Before acting on the information, consider its appropriateness having regard to your personal circumstances, and consider seeking personal advice from a licensed financial adviser. You should also obtain and consider the relevant Product Disclosure Statement (PDS) before making any decision about the financial product.

Medical / health (AU)

Regulators: AHPRA (registered health practitioners); TGA (therapeutic goods); state health departments

Key requirements:

  • AHPRA registration for regulated health professions (medical, nursing, dental, pharmacy, psychology, etc.)
  • Advertising code — National Law restricts health-practitioner advertising (no testimonials, no false claims, no creating unrealistic expectations)
  • TGA advertising code — for therapeutic goods (medicines, devices, biologicals)

Standard medical disclaimer (for health information sites that are not providing personal medical advice):

The information on this website is provided for general educational and informational purposes only. It is not intended as medical advice and should not be relied upon as a substitute for consultation with a qualified healthcare professional. Always seek the advice of your doctor or other qualified health provider with any questions you may have regarding a medical condition. If you think you may have a medical emergency, call your doctor or emergency services immediately.

Legal services (AU)

Regulators: State law societies (Law Society of NSW, Victorian Legal Services Board, etc.)

Key requirements:

  • Practising certificate to provide legal services
  • Trust account rules
  • Professional indemnity insurance
  • Advertising rules (varies by state)

Standard legal disclaimer (for legal information content sites):

The information on this site is provided for general informational purposes only and does not constitute legal advice. Reading or interacting with this content does not create a solicitor-client relationship. The law changes frequently and varies by jurisdiction. For advice specific to your situation, consult a qualified solicitor in the jurisdiction in which you require advice.

Gambling (AU)

Regulators: State liquor and gaming authorities; Australian Communications and Media Authority (ACMA) for online gambling

Key requirements:

  • License from the state regulator
  • Responsible gambling messaging (must appear in advertising and on the platform)
  • Age verification (18+)
  • Self-exclusion options
  • Problem gambling helpline reference
  • Restrictions on advertising (timing, content, sports betting)

Standard responsible gambling disclaimer:

Think! About your choices. Call Gambling Help on 1800 858 858 or visit gamblinghelponline.org.au. You must be 18 years or over to gamble. Gamble responsibly.

AI content disclosure

EU: Required under Article 50 of the AI Act (in force 2024) for AI-generated content where the user might be deceived.

Australia, US, UK: No general legal requirement, but rapidly becoming a best practice expectation.

Standard AI disclosure:

Some content on this site is generated or assisted by artificial intelligence. We review AI-generated content before publishing, but errors are possible. If you spot one, please contact us.

Affiliate disclosure (FTC required for US audience; best practice everywhere)

FTC requirement (US): "Material connections" between an endorser and a brand must be disclosed clearly and conspicuously.

Standard affiliate disclosure:

Some links on this page are affiliate links. If you click and make a purchase, we may earn a commission at no additional cost to you. We only recommend products we have used or believe in.

3. Standard Disclaimer Types

Privacy policy outline (jurisdiction-agnostic skeleton)

A privacy policy should contain:

  1. Identity of the controller — legal entity name, address, contact, ABN (if AU)
  2. What personal information is collected — list categories
  3. How it is collected — directly, automatically (cookies, analytics), from third parties
  4. Why it is collected — purposes and lawful basis
  5. Who it is shared with — third parties, processors, sub-processors
  6. How long it is retained — retention periods or criteria
  7. How it is secured — security measures (general description)
  8. Individual rights — what the individual can do (varies by jurisdiction)
  9. International transfers — where the data goes
  10. Cookies — what cookies are used (or link to cookie policy)
  11. Children — if applicable, how children's data is handled
  12. Changes to the policy — how changes are notified
  13. Contact — how to ask questions or make a complaint
  14. Last updated — date

Terms of service outline (jurisdiction-agnostic skeleton)

A ToS should contain:

  1. About these terms — who they apply to, when they take effect, how they form a contract
  2. Definitions — key terms used in the ToS
  3. Use of the service — acceptable use, prohibited use
  4. Account registration — eligibility, accuracy of information, account security
  5. Content — your content, our content, user-generated content rules
  6. Payments — pricing, billing, refunds, taxes
  7. Intellectual property — who owns what, licences granted
  8. Disclaimers and limitations of liability — to the extent permitted by law
  9. Indemnity — when and how the user indemnifies the service
  10. Termination — by either party
  11. Governing law and dispute resolution — jurisdiction and forum
  12. Changes to these terms — how changes take effect
  13. Contact — how to reach the legal entity

Cookie banner

Three-tier model (recommended for GDPR/UK GDPR):

We use cookies to make this site work and to help us understand how it's used.

Necessary cookies (always on)
   Required for the site to function (login, security, basic preferences).

Functional cookies (off by default)
   Remember your preferences (language, region, accessibility settings).

Analytics and marketing cookies (off by default)
   Help us understand how the site is used and improve it.

[Accept all]   [Reject all]   [Customise]

Two-tier model (acceptable for AU/US where consent rules are less strict):

This site uses cookies. We use necessary cookies to make it work, and optional
cookies for analytics. You can opt out of analytics cookies below.

[Accept all]   [Necessary only]   [Customise]

Email marketing footer (AU Spam Act compliant)

This email was sent to {{email}} because you {{consent_basis: "subscribed via our
website on DATE" / "are a customer of {{Brand}}" / "registered for our event"}}.

{{Sender legal entity name}}
{{ABN if applicable}}
{{Registered address}}

[Unsubscribe]

The unsubscribe link must work for at least 30 days after the email was sent and must require no more than 5 working days to take effect.

4. Common Pitfalls

Pitfall 1: Generic templates from the internet

"I'll just copy a privacy policy from a similar site." This often produces a policy that doesn't match the user's actual data practices, contains references to the wrong jurisdiction, or includes obligations the user can't meet.

Pitfall 2: Out of date

Privacy laws change. A privacy policy from 2019 doesn't reflect AU's expanded NDB scheme, GDPR's clarifications, or any of the US state laws passed since.

Pitfall 3: Overpromising

"We will never share your data with anyone, ever." Sounds good. Almost always false. Service providers (hosting, email, analytics) will inevitably touch the data. Overpromising creates legal exposure.

Pitfall 4: Underpromising

"We may use your data for any purpose we choose." This may technically be acceptable in some jurisdictions but signals bad faith and creates trust problems.

Pitfall 5: Missing the "how to complain" section

Privacy policies in jurisdictions like AU require an explanation of how to make a complaint to the OAIC. Many user-generated policies miss this.

Pitfall 6: Hidden ToS

ToS that the user has to agree to but is buried in tiny grey text at the bottom of a footer. Enforceability of unread terms is shaky in many jurisdictions.

Pitfall 7: No update mechanism

Failing to update disclaimers when the business changes. If the business adds a new processor, a new region, a new feature — the privacy policy must be updated.

Pitfall 8: Confusing legal pages

Combining ToS, privacy, and refund policy into one giant "Legal" page. Reduces enforceability and makes individual policies hard to find.

5. Solicitor Review Checklist

When the user takes the draft to a solicitor, the solicitor will typically check:

  • Legal entity name and registration details are accurate
  • Jurisdiction is correctly identified
  • All applicable laws have been addressed
  • Data categories collected match the actual product
  • Third-party processors are accurately listed
  • Retention periods are realistic and defensible
  • Individual rights match the jurisdiction's requirements
  • Cookie banner mechanism is technically implementable
  • Industry-specific disclaimers are present (financial, medical, legal, etc.)
  • Limitation of liability is enforceable in the jurisdiction
  • Refund policy aligns with consumer protection law
  • Email marketing footer is Spam Act compliant
  • Changes-notification mechanism is workable
  • Contact email and complaint process is operational

6. Update Cadence

Trigger Action
Annually (default) Full review of all disclaimers
New jurisdiction added (e.g. selling to EU customers) Add jurisdiction-specific clauses
New data type collected Update privacy policy collection section
New third-party processor added (e.g. new analytics tool) Update privacy policy sharing section
New business activity (e.g. adding affiliate links) Add affiliate disclosure
Law change (e.g. new state privacy law passed) Update affected sections
Data breach Update incident-response procedures (and notify regulator under NDB)

The user should diary the annual review and assign a brand owner to it.

7. Final Reminder

THIS REFERENCE DOES NOT PROVIDE LEGAL ADVICE.

This document summarises publicly available legal frameworks for the purpose of helping users prepare draft documents for solicitor review. It is not exhaustive, may not be current, and does not address the user's specific circumstances. The user must consult a qualified solicitor in the relevant jurisdiction before publishing or relying on any legal artefact.