Blog

Sample Acceptable Use Policy Template and Examples

An acceptable use policy, while not required by law, is arguably one of the most important policies an organization providing access to a website, application, online platform or network should have.

Indeed, it allows the organization to maintain control and ensure the security of both its service and its users. Technology is a beautiful thing but there are undoubtedly many risks associated with using online services and handling business data virtually.

The main threat to network security is without a doubt users taking risks or misusing technology, thus the importance of being diligent and trying to regulate their use to prevent breaches and data loss.

Sample Acceptable Use Policy Template

Acceptable use policies, unlike privacy policies, are not legally required, thus what should be included is not as standard. One must consider the particularities of each organization, its technology, and its end-users before drafting such a document.

However, this handy template is a good starting point and can be customized to your organization’s needs:

Free Generic Acceptable Use Policy Template

Download PDF Download DOCX

Expert tip: Take the hassle of writing your own acceptable use policy away with our acceptable use policy generator. It will save you hours of work and possible costly legal mistakes.

Acceptable Use Policy Examples

Online Banking Services

Transferwise, now known as Wise, is a financial technology company that allows customers to hold bank accounts in multiple currencies, apply for a multi-currency credit card, and transfer money worldwide. It does not have any physical locations, unlike traditional banks and, as such, exclusively offers its services through an online platform.

Unsurprisingly considering the risks associated with the handling of financial data, Wise has a detailed yet easy-to-understand Acceptable Use Policy which sets out the terms under which users can access its services (to be read in conjunction with its User Agreement which refers to its other policies).

Restricted Activities

Wise starts out by stating that its services are to be used for lawful purposes only - it uses bullet points to list out prohibited uses:

Transferwise's acceptable use policy section on "Restricted activities"

Note how general this clause is - it encapsulates any use of its services that would breach or cause the company to breach any local, national or international laws or regulations. Being a bank, it specifically mentions that its services are not to be used for fraudulent purposes or to perform tax evasion.

Restricted Businesses & Transactions

In addition to restricting how its services are to be used, Wise states that it does not support a range of businesses or transactions involved in the following categories and industries as it considers them too risky:

Wise's acceptable use policy shows section 1.2.1 Regulated or illegal products or services

Note that this list is not exhaustive and that Wise reserves the right to deny service to any customers that it deems to exceed its risk tolerance threshold.

Penalties

Wise is very clear when it comes to explaining the consequences of not complying with its acceptable use policy.

Transferwise's acceptable use policy section "Suspension and termination"

It gives itself the power to immediately remove one’s access to its services, suspend or cancel payment orders, remove user-uploaded material, issue warnings, take legal action against perpetrators and report and disclose relevant information to law enforcement authorities.

These terms should not come as a surprise to individuals that choose to use Wise’s services as they are prompted to accept them at the time of account creation:

Transferwise's account creation form with terms of use and privacy policies on the bottom

When one clicks on “Terms of Use” they are taken to a page where all applicable agreements are listed out and made accessible through hyperlinks, including the acceptable use policy:

Transferwise's links to legal agreements

This is a great way for the company to ensure that potential customers do not miss any of the important policies that govern the use of its website and services.

Educational Institution

Prestigious Washington-based Georgetown University welcomes the finest students from all over the globe. Technology is widely used by faculty staff and students to teach, study and research and, considering the size of the institution, it has numerous strong policies in place that govern how it should be used by all.

These are all accessible in one place, through the University Information Security Office, including its Computer Systems Acceptable Use Policy.

Purpose & Applicability

Perhaps to sensibilize its university population to the reason and purpose behind this policy, Georgetown University’s acceptable use document starts out by stating to whom it applies as well as the guiding principles behind it.

Georgetown University’s computer systems acceptable use policy guidelines

Note that this policy applies to anyone that uses the University’s information technology resources, and not just to students and staff.

The guiding principles are a great idea for any organization in which restrictions to technology access could be seen as a limitation of personal freedom.

The University explains that it recognizes the importance of being able to access IT resources to support education and research and to be exposed to a multitude of views. However, it does restrict usage to university-related activities only, such as research, instruction, learning, enrichment, dissemination of scholarly information, and administrative tasks.

Disclaimer

The University, by making IT resources available, is also exposing users to content that it doesn’t control, considering the amount of information that circulates on the Internet, this makes total sense. To protect itself, the University includes a disclaimer:

Georgetown university's computer systems acceptable use policy shows disclaimer section

It also encourages users to report abuse at a dedicated email address.

Responsibilities

The University cannot possibly monitor all of the IT resources that it makes available. Thus, it sets out the responsibilities that come with choosing to use its computers or networks.

It notably reinforces the importance of taking appropriate security measures when using electronic resources, including when it comes to password management and protection from unauthorized access - it refers users to the Georgetown University Information Security Policy to which they are expected to abide by.

Georgetown university's computer systems acceptable use policy section on "Information Security"

Users are personally responsible and accountable for the use and security of the electronic resources that they own or use.

It also reiterates that these are shared resources and should be treated as such:

Georgetown university's computer systems acceptable use policy shows section on "Shared Resources"

Access to those technology resources is not a right, but a privilege.

Oversight

The University is very transparent when it comes to how it plans to administer and ensure compliance with this policy. It reserves the right to examine all university-owned and operated computer systems and electronic resources and to take action as needed. This can include restricting or limiting access to such technology (including its networks and the material found on its computers) when evidence of a violation is found.

Note that the University mentions that abuse could lead to disciplinary or legal action.

Georgetown university's computer systems acceptable use policy section on "Administration and Implementation"

Reporting Violations

Users of the University’s technology resources are invited to report incidents and abuse of this policy to a dedicated email address and to forward any spam received to another. Moreover, it includes links to other resources where hate and bias, and copyright infringement can be reported.

Georgetown university's acceptable use policy section on "Resources and Other Applicable Policies and Procedures"

In addition to this acceptable use policy, the University has a separate document that applies to its employees’ incidental personal use of technology resources, the Incidental Personal Use of Electronic Resources Guidelines. It acknowledges that sometimes employees need to use these resources for personal purposes (but should be restricted to matters that cannot wait to be addressed during non-work hours), but does specify that this should not hinder official business or affect the performance of an employee’s duties, and expressly prohibits some uses.

Network Provider

Software and network providers are probably the two types of businesses that almost without fail have a strong and detailed acceptable use policy in place.

AT&T, the world’s largest telecommunications company, is no exception. The company has a strong broadband network which it makes accessible to customers through its Internet and wireless plans. As such, its Acceptable Use Policy applies to all AT&T services that provide or include access to the Internet or are provided over the Internet or wireless data networks (what the company refers to as “IP Services”). By using any of these services, customers confirm agreeing to comply with the company’s policy.

Prohibited Uses

The policy starts off by stating all prohibited activities - here are the general prohibitions and statement concerning unlawful activities:

AT&T's acceptable use policy section on "Prohibited Activities"

Note how it refers and mentions all services that can be accessed through an AT&T link - customers must abide by these services’ respective rules, guidelines, or agreements in order to be found compliant with this acceptable use policy.

It then goes on to list specific prohibited uses, such as violation of intellectual property rights, the transmission of threatening material or content and using the services for inappropriate interaction with minors or for child pornography.

AT&T's acceptable use policy's section on unlawful activities

A large section of the policy is dedicated to the abuse of email services, including the sending of spam mail using its services - the list of prohibited activities is very detailed and in the bullet-point form to make it easy to read:

AT&T's acceptable use policy section on "Spam/Email/Usenet Abuse"

In addition, AT&T strongly condemns using its services to interfere with, gain access to or violate the security of a server, network, computer, software or system, theirs or otherwise, and considers doing so a violation of its policy:

AT&T's acceptable use policy section on "Security Violations"

Responsibilities

In addition to mentioning in the clause above that ensuring the security of systems and machines that connect to AT&T’s services is at the responsibility of the customer, the company states that customers remain solely and fully responsible for the content that they choose to post, host, download, upload, create, access or transmit using its services.

AT&T's acceptable use policy shows a section of "Customer Responsibilities"

This is a standard clause for a network provider as it would be impossible and unreasonable to ask them to monitor and take responsibility for the actions of millions of customers - including such a clause makes it clear to its customers and to third parties that could be affected by their actions.

Sanctions

A few lines of AT&T’s acceptable use policy are in bold - these serve to warn customers of how the company plans to enforce this policy as well as the potential sanctions which could arise from a violation.

AT&T's acceptable use policy section on "AUP Enforcement and Notice"

While it does state that it will warn customers of a violation when feasible to give them a chance to correct their actions, the company does reserve the right to take immediate action and suspend or terminate services in some circumstances.

These notably include when the company receives a court order or government notice or when it reasonably determines that it could expose the company to liability, harm, or interfere with the company’s network or another customer’s services, the conduct violates laws or regulations or if the use otherwise presents an imminent risk of harm to the company or its customers.

AT&T includes a clause that directly addresses copyright infringement claims and DMCA notices, as well as includes an email address where all incidents should be reported for investigation.

All in all, this constitutes a fairly standard acceptable use policy for a network provider as it addresses concerns that are specific to that type of organization.

How to Draft an Acceptable Use Policy?

We trust that you will have found these examples useful as you start thinking about drafting an acceptable use policy for your own business.

While these can serve as inspiration, you should always take into consideration the particularities of your business, users, and the technology that you are making available.

Some acceptable and prohibited activities are fairly standard but others should directly be linked to the uses that could be made of your services as each of them have their own associated risks.

Our acceptable use policy generator is an easy solution if you want to give yourself peace of mind. After all, a good policy can help you prevent abuse and retain control over your platform or services.

Once you have made your acceptable use policy available, don’t forget to update it from time to time as your organization and its privacy challenges evolve. And when you do so, take this as an opportunity to remind your users (whether they are customers, students, or employees) of its existence.

Don’t waste time writing legal documents. Create an attorney-drafted acceptable use policy in just a few minutes with our online generator and avoid costly mistakes.