What is an Acceptable Use Policy: The Definitive Guide
If you are a business or organization that provides access to technology, whether it be by lending devices, providing online services or access to the Internet or a network, or if you are an individual that has used such services, you may have heard or been asked to confirm your acceptance of an acceptable use policy.
Many people do not actually take the time to read through such a document before agreeing to its terms but they should, as this is what governs the relationship between them and their service provider.
Expert tip: Take the hassle of writing your own acceptable use policy away with our acceptable use policy generator. It will save you hours of work and possible costly legal mistakes.
Table of contents
What is an Acceptable Use Policy?
An acceptable use policy can be defined as a document that sets out how individuals may use a network or a system as well as what is prohibited. It basically sets out the rules that people have to abide by in order to use your service.
It also sets out the consequences of not complying with the acceptable use policy, which will vary depending on the kind of service provider and the relationship that it has with its users.
Why do You Need an Acceptable Use Policy?
If you provide access to the Internet, you do not have direct control over the activities of the people using your network.
While it is tempting to assume that everyone is a good person, the reality is that some are not as well-intentioned as others and could be using your network to disseminate hate speech, share illegal content or try to install viruses or spyware on other computers connected to the network.
An acceptable use policy can make it clear to users that such behavior is prohibited and reinforces that access to a network is provided as a service and that, as such, if someone contravenes the terms of this policy, access to the network could be revoked.
Language can be added to the acceptable use policy to encourage users to report such prohibited behavior should they come across it as well as to signal any security breaches, such as attempts to log in to their accounts or the receipt of phishing emails.
As such, acceptable use policies are a great tool to encourage safety and protect organizations from cybersecurity threats.
Who Needs an Acceptable Use Policy?
Any business or organization that provides such a service should have an acceptable use policy in place to maintain control, protect itself from potential legal claims, and foster trust with users of the service.
Potential users of your blog, service, or any website should be made to read this policy before being given log-in credentials.
It is very common to see companies that provide software as a service, such as automated email marketing solutions, have such a policy. Internet or phone service providers also are the type of businesses that without fail ask users to consent to an acceptable use policy before giving them access to their network.
Moreover, schools, from primary to university level, usually ask students, professors, employees, and members of the public who use their computers, Internet network as well as other online services to read and agree to abide by their acceptable use policies.
A lot of documents are shared on school networks, from course materials and presentations, group projects, and students that live on campus and thus make personal use of the network.
An acceptable use policy can be useful to prohibit users from downloading documents from unknown senders or opening email attachments from people outside of the network, or even from illegally sharing or downloading music or movies.
So do most big employers who often use these policies to prohibit the use of the Internet for personal purposes during work hours or to block some websites, for example.
This ensures employee productivity as they can only use the provided technology to work and not spend time on social media or planning their next holiday.
Acceptable Use Policy Guidelines
An acceptable use policy should always start by explaining what the purpose of the document is, who and what it applies to (the scope of application), and why you are asking users to confirm that they will abide by your terms before using your technology services.
You can expose this in a positive light by putting emphasis on the fact that your end goal is to ensure that your platform, website, or network is used safely and legally, which is important for both your organization and your users.
By doing so, your users will understand the reasoning behind your decision to have such a policy in place and will likely be more willing to comply with your guidelines.
If you’re wondering what to include in your acceptable use policy, here are some standard clauses that are typically found in such a document.
Roles & Responsibilities
It is always a good idea to set out the roles and responsibilities of each party as you cannot necessarily control how someone will use your network, technology, or services.
You should make it clear that your users are responsible for following your policy and for ensuring their own safety and security while browsing the Internet, including being careful in regards to the personal information that they share online.
If your employees are handling the sensitive data of your customers or clients as part of their job, you may want to reiterate the importance of preventing any leaks and set out how this data should be handled.
You may wish to consider adding a disclaimer that aims to limit your liability when it comes to the information that may be stored on your organization’s devices as well as, in the case of educational institutions, the use of personal devices on school property.
Acceptable & Unacceptable Uses
Depending on the type of business or organization that you operate, you may wish to define what constitutes appropriate use of your network as well as restrict access to some websites.
Acceptable uses could be anything that allows employees to perform work duties and service clients. For students, it could be to study online, perform research to write academic papers, and communicate with fellow students and professors.
On the other hand, prohibited uses could include using social media networks during work hours (you could make these websites inaccessible), visiting gambling or x-rated websites, sharing unlawful or offensive content, using the technology provided to take part in any type of illegal activity, including copyright infringement, sending spam emails using your network, etc.
What should be considered acceptable and prohibited will depend on the type of organization that you are spearheading as well as the type of technology that you are making available.
One thing is certain, it should be restrictive enough to protect your organization but not so much as to make it complicated or frustrating for people to use your technology.
In this section, you can address the common cybersecurity risks and threats associated with Internet usage and list out what types of conduct should be avoided by users to keep your network safe.
For example, you could request that users change their passwords every 30 days and not let anyone other than themselves use their account. You could specify that users are not to open emails or attachments from people outside of their network without first confirming that it is from a safe source.
If you are lending laptops or smartphones to your employees, you could restrict their Wi-Fi connection to your network and private networks only, making public networks, such as the ones at coffee shops and airports, inaccessible.
On the other hand, if employees are using their own devices for work purposes, you may wish to clearly define what data they can store on their devices and whether or not they can send work-related documents to their personal email addresses.
If you are in charge of security for a primary or high school, you may wish to request parental consent or teacher supervision for Internet users to avoid children finding inappropriate content or putting themselves in danger and then blaming you for it.
You can also explain the measures that you will be taking and the methods that you will be using to ensure system and data security - including how you will be supervising and enforcing compliance to your acceptable use policy.
Many organizations specify that they reserve the right to monitor Internet activity and files stored on the devices that they own from time to time to ensure compliance.
These are just a few examples of language that can be added to an acceptable use policy to tailor it to an organization’s specific security challenges.
See this article for more examples as well as a sample acceptable use policy template.
Data Breaches & Infringements
Your acceptable use policy is the perfect place to address how data breaches should be handled by your users. You could mention that the IT department is to be contacted immediately every time a suspicious-looking email is received or should a user believe that a third party unlawfully has accessed their accounts.
You should make it easy for your users to report data breaches, security incidents, and network issues - you could include the contact information of your cybersecurity department as well as set out a process to document such incidents.
Likewise, your users should have an easy way to report infringements to your acceptable use policy and know the steps that you will be taking to investigate their claims.
This can include, for example, explaining how you will process a copyright infringement claim if it is reported, such as taking down the content immediately while you look into the claim. This could also be as general as stating that anyone that becomes aware of an infringement must notify you in writing.
Account Termination & Sanctions
In order to retain some control over your website or network, you may wish to include wording that gives you the power to suspend or terminate a user’s account if they are found to have violated your acceptable use policy.
You may also wish to specify that you reserve the right to take further action against the infringers, such as reporting illegal activities to law enforcement or, in the case of employees, giving them a formal written notice to be kept on file or taking disciplinary action which can take the form of termination of employment in the case of serious or repeated breaches.
It is important that you make it very clear to your users that your acceptable use policy will be enforced and that action will be taken.
If you don’t want to spend any more time thinking about what you should be including in your organization’s acceptable use policy, try our acceptable use policy generator.
Where to Display Your Acceptable Use Policy?
When it comes to acceptable use policies, it’s not as much about where you should be displaying them as making sure that your users are aware that they exist and actively agree to them before they start using your network.
As such, potential users should be presented with a copy of your acceptable use policy at the time of account creation or before you give them log-in credentials.
You may wish to have a pop-up with a checkbox that needs to be ticked to ensure that they have read through the document and agree to abide by your code of conduct before giving them access to your network - requesting affirmative consent to policies is considered best practice in this day and age.
Then, you can keep your policy accessible in the legal section of your website as well as in your website footer, so that your users can refer to it as needed.
The importance of an acceptable use policy in many contexts and environments is clear when drafted properly, the rules and guidelines that it contains can help prevent abuse and allows you to maintain control over your network and its security.
It could also give you a leg to stand on in court should one of your users take advantage of your platform having previously accepted the terms of your acceptable use policy and be unhappy because you suspended their account or stopped them from continuing to use your services.
You will be able to refer them, and the judge, to the terms of your policy that prohibited such use.
However, you choose to go about drafting your acceptable use policy, make sure that your users have read through it and accepted the terms before they start using your services, and use clear, easy-to-understand language to facilitate their comprehension.
We’ve done the hard work and created a generator that will allow you to generate a comprehensive yet succinct acceptable use policy to include on your platform, click here to test it out.
Don't waste time writing legal documents. Create an attorney-drafted acceptable use policy in just a few minutes with our online generator and avoid costly mistakes.
- Updated on May 26, 2021