How to Write Terms of Service: The Complete 2026 Guide

Why You Need Terms of Service

Terms of Service are the contract between you and everyone who uses your site, app, or service. They do five things that default law does not: they limit your liability, disclaim warranties the law would otherwise imply, set the rules for resolving disputes (arbitration versus court), protect your intellectual property, and define what users can and can't do on your platform. Without them, every user is operating under the default rules of their jurisdiction — which in consumer-friendly places like California, New York, the EU, and Brazil means default rules heavily in the user's favor.

Practical consequences of not having a ToS range from expensive to fatal. App stores (Apple, Google), payment processors (Stripe, PayPal), B2B partners, and enterprise customers all require a published Terms of Service before they'll work with you. Investors flag missing ToS in diligence. A SaaS platform charging $50 a month can face millions in damages from a single enterprise customer if the platform fails and there's no liability cap in place — a situation that's economically viable only because liability caps exist.

This guide walks through what a real Terms of Service does, how it actually gets enforced by courts, and how to draft one that holds up. The UDT Terms of Service Generator automates the template; this article explains what the template is actually doing and why each clause is there.

Clickwrap vs Browsewrap: Why It Matters

The single most important question in ToS enforceability is not what your Terms say — it's how users agree to them. Courts recognize two patterns, and they treat them very differently.

Clickwrap requires the user to take an affirmative action — checking a box, clicking an 'I agree' button, or clicking a 'Sign up' button placed next to a clear 'By signing up you agree to our Terms' notice. Clickwrap agreements are enforced routinely. Meyer v. Uber (2d Cir. 2017), Cullinane v. Uber (1st Cir. 2018), and dozens of follow-on cases uphold clickwrap arbitration clauses and class-action waivers because the user manifested consent through a clear act.

Browsewrap is the opposite — Terms posted somewhere on the site (often the footer), with the theory that users agree by continuing to use the service. Courts reject browsewrap when the Terms were not conspicuous. Specht v. Netscape (2d Cir. 2002) is the foundational case: Netscape's arbitration clause was buried below a download button, and the court refused to enforce it. Nguyen v. Barnes & Noble (9th Cir. 2014) reached the same result — a ToS link in the footer, with no affirmative acknowledgement, was not enough to form a contract.

If your Terms include arbitration and a class-action waiver, this matters even more. Those clauses are the ones plaintiffs' lawyers attack first, and they attack them by arguing the underlying contract never formed. Win the formation fight with a conspicuous clickwrap and the downstream clauses hold up. Lose it with a hidden browsewrap and nothing in your ToS is enforceable.

The 12 Sections Every Enforceable ToS Needs

Terms of Service are structured documents. Every modern ToS — Apple's, Google's, Stripe's, OpenAI's, Uber's — has the same core sections, even if the specific clauses vary. Here's the canonical outline and what each section does.

• Acceptance and binding agreement — Defines who the parties are, how the user accepts, and that continued use means continued acceptance. This is the formation clause and it's where enforceability is won or lost.
• Account eligibility — Minimum age (COPPA says 13, GDPR-K says 16 in most EU countries, some services pick 18), account accuracy requirements, one-account-per-user rules, consequences of false information.
• Subscriptions and billing — Billing cycle, currency, auto-renewal disclosure (California and EU require explicit disclosure), price-change notice, cancellation mechanics, refund policy. 2026 note: the FTC click-to-cancel rule is in flux after the Fifth Circuit's February 2026 vacatur, but the underlying principle — cancellation must be as easy as signup — remains best practice.
• Acceptable Use Policy — The list of things users can't do: illegal activity, infringement, harassment, spam, malware, unauthorized access, scraping, reverse-engineering. The AUP is what lets you terminate abusive accounts without breach.
• Intellectual property — Your IP (software, content, brand) is yours. Users get a limited license to use the service. Feedback users give you is licensed to you royalty-free. This is boilerplate but essential.
• User-generated content — If users upload anything, you need a license to host and display it. You also need a representation that they own what they upload and aren't infringing. Without this, you're infringing every time a user uploads a copyrighted image.
• DMCA safe harbor — If you host UGC, you need a DMCA agent registered with the US Copyright Office, a published takedown process, a counter-notification process, and a repeat-infringer policy. Miss any of these and you lose the 17 U.S.C. § 512 safe harbor and become directly liable for user infringement.
• Warranty disclaimers — The 'AS IS' clause in ALL CAPS. UCC § 2-316 requires that disclaimers of implied warranties (merchantability, fitness for purpose) be conspicuous, which courts interpret as meaning formatted to stand out — typically ALL CAPS or bold.
• Limitation of liability — Two parts: a cap on direct damages (3, 6, or 12 months of fees paid is typical for SaaS; amount paid for the order is typical for e-commerce), and an exclusion of consequential damages (lost profits, data loss, business interruption). Both are required; caps without consequential-damages exclusions are often deemed illusory.
• Indemnification — User promises to cover you if they cause a third-party claim against you. For B2B/agency contracts, indemnification is usually mutual (both parties indemnify for their own IP warranties).
• Dispute resolution — Arbitration vs court, class-action waiver, opt-out mechanism, informal resolution step, venue for claims that escape arbitration. This is the section plaintiffs' lawyers attack.
• Governing law and venue — Which state/country's law applies and where claims can be filed. Important: consumers in the EU, UK, Australia, and Brazil retain non-waivable statutory rights regardless of your governing-law clause.
• Termination and changes — How either party can end the relationship, what survives termination (fees, IP, liability, arbitration), and how you can update the Terms (material-change notice is required for future enforceability).
• Miscellaneous — Entire agreement, severability (one bad clause doesn't kill the whole doc), assignment, force majeure, notices, contact info, effective date. Boilerplate but load-bearing.

Terms Differ by Business Model

A SaaS ToS is not the same as an e-commerce ToS is not the same as a marketplace ToS. Most competitor generators ignore this and produce a generic template, but the legal risk profile really is different for each business model. The UDT generator has 10 business-model templates for exactly this reason.

SaaS platforms center on subscriptions, data handling, uptime, and B2B liability. Typical liability cap is 12 months of fees paid; arbitration is standard; AUP is critical because you're hosting user data and need the right to suspend abusive accounts without breach.

E-commerce stores center on product descriptions, pricing, order acceptance, shipping, and returns. Liability is usually capped at the purchase price of the specific order. Consumer-rights carve-outs are mandatory in the EU, UK, and Brazil — those laws give consumers 14-day withdrawal rights on most online purchases regardless of what your ToS says.

Marketplaces (multi-sided platforms like Etsy, Airbnb, DoorDash) have the most complex ToS because Company is not a party to the transaction — the buyer and seller transact, and Company is just the platform. The critical clauses are 'Company's role' (disclaiming party status), seller obligations (listing accuracy, tax, compliance), buyer responsibilities (due diligence), and a release of platform claims so users can't sue you over disputes they have with each other.

Mobile apps need Apple App Store and Google Play passthrough terms. Apple requires specific language making it a third-party beneficiary and disclaiming Apple's support/warranty obligations. In-app purchases and subscriptions are processed by the platform's billing system, so your refund policy has to defer to the platform.

API / developer platforms need API-key confidentiality clauses, rate-limit language, data-usage restrictions (no training competing models on API output), and deprecation-notice terms (typically 90 days for breaking changes). Export-control language is often appropriate because technical APIs can trigger EAR/OFAC issues.

UGC communities live or die on DMCA compliance and content-moderation authority. You need a registered DMCA agent, a takedown process, and broad content-removal authority. Section 230 gives you a federal defense to claims arising from third-party content, but only if you follow the statute.

Newsletters and content sites are mostly about IP — protecting your articles — and disclosures. Affiliate links require FTC-compliant disclosure; sponsored content needs clear labels. Liability is usually low-stakes ($100 or the equivalent) because users aren't paying much for the product.

Digital products (downloads, templates, ebooks, courses) need a clear license scope (personal vs commercial, single vs team), anti-redistribution language, and a 'no refunds on delivered digital goods' clause — carved out for the EU's 14-day withdrawal right, which consumers can expressly waive on immediate-delivery content.

Subscription services (non-SaaS — streaming, subscription boxes, memberships) share auto-renewal, cancellation, and price-change terms with SaaS, but often have physical-goods shipping terms bolted on. Click-to-cancel compliance is especially scrutinized here.

Agency / consulting contracts are the odd one out: no arbitration by default, mutual indemnification, work-product ownership transferring on payment, timelines tied to client cooperation, separate SOWs incorporated by reference. Liability caps are tied to contract value.

The Arbitration Decision

Should your Terms include binding arbitration? It's one of the most consequential decisions in the whole document, and the answer is 'usually yes, if done right.'

The case for arbitration is straightforward: class-action lawsuits are existential risks for small companies. A single consumer class action against a subscription service can produce eight- or nine-figure exposure. Binding arbitration with a class-action waiver moves every dispute into individual arbitration, which is faster, cheaper, and non-precedential. This is why OpenAI, Uber, Netflix, and essentially every major consumer service include arbitration.

The case against: plaintiffs' firms have started filing mass arbitrations — thousands of individual demands at once, each triggering filing fees the company has to pay. The up-front cost can exceed what a class action would have cost. The UDT generator offers a batch arbitration clause that groups similar demands into batches of 50, which caps the exposure. OpenAI, DoorDash, and many modern ToS now include batch-arbitration language.

If you include arbitration, do it right:

When to skip arbitration: B2B agency contracts often use mediation instead, because the relationship is ongoing and the disputes are commercial rather than consumer. Some enterprise customers refuse to accept arbitration and want court access. Regulated industries (healthcare, finance) have sector-specific rules. But for general-purpose consumer SaaS, e-commerce, marketplaces, and apps, arbitration is standard practice and strongly recommended.

1. Include a 30-day opt-out. Without an opt-out, courts are more likely to find the clause unconscionable. With one, enforceability approaches 100%. The opt-out is rarely used (<1% of consumers opt out), so it's nearly free.
2. Include an informal-resolution step. A 30-day 'contact us first' requirement before arbitration costs you almost nothing and weeds out frivolous demands. Courts view this as good faith.
3. Scope it narrowly. This is the California SB 82 issue. The bill, effective January 1, 2026, requires arbitration clauses for consumer goods and services to be limited to claims 'arising out of and relating to the contract containing the agreement.' Disney+ tried to use its streaming ToS to force a wrongful-death claim at Disney theme parks into arbitration — SB 82 closes that door. If your Terms cover multiple products, scope each arbitration clause to its own product.
4. Pick a real administrator. JAMS and the American Arbitration Association (AAA) are the defaults for US consumer arbitration. NAM is common for batch arbitration. ICC or SIAC for international commercial disputes. Don't invent your own arbitrator or pick someone the user has never heard of — courts scrutinize this.
5. Include a class-action waiver. The Supreme Court has repeatedly upheld class waivers in consumer arbitration (AT&T Mobility v. Concepcion, Epic Systems v. Lewis). Without the waiver, you get the worst of both worlds: arbitration fees plus class exposure.

Liability Caps: Setting the Ceiling

The limitation-of-liability clause is the most important economic clause in your entire ToS. It's what keeps a $50/month SaaS subscription from exposing you to $10 million in damages when a platform failure costs the customer their business.

A complete liability clause has three parts: a cap on direct damages, an exclusion of consequential damages, and carve-outs to both.

The cap. This is the maximum the company will pay in direct damages. Industry-typical amounts by business model:

The consequential-damages exclusion. This excludes lost profits, revenue, data, goodwill, and business opportunity — the 'big number' damages that would otherwise swamp the cap. The language is almost always in ALL CAPS to satisfy conspicuousness requirements. Without this exclusion, a plaintiff can argue the cap was illusory because the consequentials blow through it anyway.

• 3 months of fees: Conservative SaaS, usually B2C; rare in B2B where customers push back.
• 6 months of fees: Mid-market SaaS, marketplaces where transaction value is moderate.
• 12 months of fees: Standard for B2B SaaS, APIs, and enterprise-leaning services. Most widely accepted and least likely to be renegotiated.
• Purchase price / order amount: E-commerce and digital products. Liability for a $40 order is capped at $40.
• Flat $100: Free-to-use community sites, newsletters, content sites where no money changes hands. Courts sometimes find a $0 cap illusory, so $100 is the practical floor.
• Contract value: Agency and consulting — cap is tied to fees under the applicable Statement of Work.
• Greater of $100 or 12 months: Defensive posture — ensures something is owed even to low-paying customers.

The carve-outs. Standard carve-outs that don't get limited by the cap or exclusion: (a) the user's obligation to pay fees owed, (b) each party's indemnification obligations, (c) gross negligence, willful misconduct, or fraud, (d) breaches of confidentiality, and (e) anything that can't be limited under applicable law. The carve-outs make the rest of the clause more defensible — a cap with zero carve-outs looks one-sided and draws scrutiny.

One common mistake: setting liability too low. A $1 cap or a $0 cap looks clever but attracts unconscionability challenges. The practical floor is $100, and for paid services, tying the cap to fees paid is more defensible than a flat low number.

DMCA and User-Generated Content

If your service accepts any user-uploaded content — comments, posts, photos, videos, documents, reviews — you are potentially liable for copyright infringement committed by your users unless you qualify for the DMCA's safe harbor under 17 U.S.C. § 512.

The safe harbor is conditional. To qualify, you have to do four specific things:

The UDT generator includes all four elements as separate clauses in the DMCA group, and the enforceability scorecard flags missing ones for UGC sites. The clauses are drafted to track the statute closely because courts scrutinize DMCA compliance more strictly than most contract provisions.

1. Designate a DMCA agent. Register an agent with the US Copyright Office and publish the agent's contact information on your site. This is the single most common DMCA failure — businesses publish a takedown email but never formally register. Registration costs $6 and is done through the Copyright Office's DMCA Designated Agent Directory. Without registration, you're not in the safe harbor no matter what your ToS says.
2. Publish a notice procedure. Tell copyright owners exactly how to submit a takedown: required elements (signature, identification of the work, identification of the infringing material, contact info, good-faith statement, accuracy attestation under penalty of perjury), and where to send it.
3. Act on valid notices promptly. When you receive a valid notice, remove or disable access to the material expeditiously. 'Expeditiously' isn't defined but generally means within a few business days.
4. Maintain a counter-notification process and repeat-infringer policy. Users whose content was removed can counter-notify; if the original complainant doesn't file suit within 10-14 business days, you can restore the material. You also need a policy to terminate accounts of repeat infringers — both requirements are in the statute.

User-generated content also needs a license clause. When a user uploads a photo to your service, they own the copyright, but you need a license to host, display, cache, and back up the photo — without a license, you're infringing every time a user sees it on your site. The standard grant is 'worldwide, non-exclusive, royalty-free, sublicensable, transferable license to host, store, reproduce, display, and distribute' the content for the purpose of operating the service.

Narrow this license as much as the business allows. Big-tech platforms take broad licenses that include promotional use. Smaller services should take a narrow operational license and explicitly exclude training third-party AI models unless the user consents — that's increasingly a dealbreaker for enterprise customers.

Finally, Section 230 of the Communications Decency Act (47 U.S.C. § 230) gives US interactive-service providers broad immunity from claims arising out of third-party content. It's the statute that makes UGC platforms economically viable. A simple Section 230 acknowledgement in your ToS doesn't change your legal status (Section 230 applies by operation of law), but it signals to users and plaintiffs' counsel that you're asserting the protection.

The New AI Clauses

If your service uses AI — even just ChatGPT-style text generation or an embedded OpenAI call — your Terms of Service need clauses that most pre-2024 generators still don't include.

AI features disclosure is the foundation. Users should know the service uses AI, that AI output can be incorrect, biased, or misleading, and that they should verify output before relying on it. This is required disclosure under the EU AI Act (full enforcement August 2026) for high-risk AI systems and broadly encouraged by FTC Section 5 enforcement against 'AI washing.'

Training data usage — say clearly whether you use customer inputs or outputs to train AI models. If yes, disclose it prominently and consider offering an opt-out. If no, say so (this is a selling point for B2B customers). Ambiguous language here is a litigation magnet; the plaintiffs' bar has already filed cases against AI services over alleged training on private data.

AI output rights — clarify who owns AI-generated content. The common answer: the user owns their output subject to compliance with the Terms. The wrinkle: AI models can produce similar outputs for different users, so you can't promise exclusivity. The generator's clause handles this honestly.

Automated decision-making — if your AI makes decisions that produce legal or similarly significant effects (credit, hiring, insurance, housing), GDPR Article 22 gives users the right to human review, to contest the decision, and to express their point of view. This is also covered by the Colorado AI Act (effective June 30, 2026) and NYC Local Law 144 for hiring algorithms.

AI model provider passthrough — if you use OpenAI, Anthropic, Google Vertex, AWS Bedrock, or Azure OpenAI, their usage policies flow through to your users. Acknowledging this in your ToS prevents a mismatch where your Terms promise something the upstream provider prohibits.

Professional-advice disclaimer — critical for any AI that could be mistaken for legal, medical, financial, or tax advice. The FTC has shown willingness to pursue deceptive-practices claims where AI output was presented as reliable professional guidance (the Rytr matter is an example). The clause is short: AI output is informational only, consult a qualified professional.

Governing Law and the Consumer Carve-Outs

The governing-law clause tells courts which jurisdiction's substantive law interprets your contract. The venue clause tells them where claims can be filed. Together they can dramatically affect outcomes — a case decided under California consumer-protection law is very different from the same case decided under Delaware contract law.

For most US-based businesses, the sensible defaults are:

For international businesses, choose a jurisdiction with a developed commercial-contract regime — Singapore, the UK, Delaware, or a major EU member state. Avoid obscure jurisdictions with unpredictable court systems; venue credibility matters.

• Your state of incorporation (typically Delaware for C-corps) for governing law if you want the deepest contract case law.
• Your principal place of business for governing law if you want home-field legal familiarity.
• A specific county and state for venue — usually the one containing your headquarters.

The important wrinkle: consumer carve-outs. The EU, UK, Australia, and Brazil all have non-waivable consumer-protection statutes that apply regardless of your governing-law clause. A consumer in Germany cannot be forced to litigate a dispute under Delaware law when German consumer-protection law gives them greater rights — German courts will apply German law to the consumer protections and Delaware law to everything else.

The practical implication: your governing-law clause sets the default, but for consumer-facing services you also need a 'consumer-rights preserved' clause that explicitly doesn't override non-waivable statutory rights. The UDT generator includes this clause and flags it when the jurisdiction selection implicates EU/UK/AU/BR users.

There's also a 2026-specific issue: California SB 82 limits arbitration scope to claims 'arising out of and relating to the contract containing the arbitration agreement.' If you pick California law and include arbitration, the clause needs this scope language. The UDT generator's arbitration clause includes it by default.

Updating Terms Without Losing Enforceability

Terms of Service aren't published once and forgotten. You'll update them — for new products, for legal changes, for pricing adjustments, for new business models. The question is how to update without invalidating the whole agreement.

The rule is: material changes require notice and a fresh manifestation of assent. A 'changes to these Terms' clause in your current document gives you the right to update, but it doesn't automatically bind users to future versions. Courts have consistently held that unilateral changes to important terms — especially arbitration clauses, liability caps, and fees — need user notification before they take effect.

The enforceable pattern:

A few rarely-used but useful patterns: version the Terms with a visible version number and last-updated date at the top of the document, maintain a changelog linked from the Terms, and use a JSON-exportable configuration (like the UDT generator produces) so you can version-control your Terms alongside your code.

1. Give advance notice. Email or in-app notification 30 days before the change takes effect, highlighting what changed. Don't rely on a quiet update to the hosted Terms page.
2. Require a fresh click for material changes. When the user next logs in, present a modal: 'We've updated our Terms of Service. You can review the changes here. By clicking Continue, you agree to the updated Terms.' This regenerates the clickwrap consent for the new version.
3. Distinguish material from immaterial. Typo fixes, reformatting, and clarifying language don't need modal prompts. Changes to arbitration, liability, data practices, fees, or user rights do.
4. Keep an archive. Hosted at /terms/archive/ or similar. Track which version the user agreed to and when. This is your evidence if a dispute later turns on which version applied.
5. Give users an exit. Users who don't accept material changes should have an easy path to cancel — keeping a forced update with no cancellation option is the scenario courts most often strike down as unconscionable.

When a Generator Is Enough, When You Need a Lawyer

A good Terms of Service generator — with comprehensive clauses, jurisdiction support, enforceability checks, and current case-law references — is sufficient for the majority of new online businesses. But a generator is a starting point, not a finish line. Here's how to decide which category you're in.

A generator is enough when:

You need a lawyer when:

• Your business is a standard B2C or SMB B2B model (SaaS, e-commerce, mobile app, newsletter, digital products, freelance services).
• Revenue is under $1M ARR and contract values are under $10K.
• You're not in a regulated industry (healthcare, finance, children's services, insurance, securities, cannabis, firearms, online gambling, adult content).
• You don't do enterprise deals with heavy indemnification or custom terms.
• You're not operating in multiple international jurisdictions with unique consumer-protection regimes (beyond EU/UK/AU/BR, which the generator handles).
• You're comfortable using the generator's enforceability scorecard to verify your setup is solid.

The realistic budget for a lawyer-drafted ToS is $1,500-$5,000 for a small business, $5K-$15K for a growth-stage company, and $15K+ for complex international operations. A generator-drafted ToS gets you 80% of the way there for $0 — which is why so many successful companies start with a template and upgrade to counsel-drafted Terms as they scale.

• You're in a regulated industry. HIPAA, GLBA, COPPA (for kids-focused products), PCI-DSS, HIPAA, insurance law, or securities law imposes specific requirements a generator can't anticipate.
• You're negotiating enterprise contracts. Custom MSAs, SOWs, and order forms usually require counsel — and the ToS interactions with those contracts need care.
• You've received or sent a legal threat. Once there's active dispute potential, retroactively changing your ToS is risky and a lawyer can advise on both the ToS and the dispute.
• You're doing M&A or raising a round. Diligence counsel will review your ToS and often recommend updates; do this before the data room goes live.
• Your business model is novel. Anything involving crypto, AI agents acting autonomously, health data, financial advice, or children has evolving legal frameworks where recent case law matters.
• You're operating in jurisdictions outside the generator's coverage. Smaller jurisdictions often have specific requirements the generator doesn't address.

The UDT generator's JSON export is designed specifically for the scale-up moment: hand the JSON config to your attorney, and they can see exactly what's in your current Terms without having to parse the document from scratch.

A Practical Publishing Workflow

Here's the step-by-step workflow for publishing a new Terms of Service, in the order that minimizes rework.

That's it. A complete Terms of Service, enforceable against users, updatable over time, with a clear paper trail. Start the workflow in the generator and iterate — publishing something solid this week is better than drafting something perfect next quarter.

1. Pick the right business-model template. SaaS, e-commerce, marketplace, etc. If in doubt, start with the closest match — you can switch later.
2. Fill in business details. Legal entity name, address, service name, contact emails. Use your registered-agent address for the DMCA agent if you don't have a dedicated legal contact.
3. Choose governing law. Your state of incorporation is the typical default. Read the 'Consumer carve-outs' note and decide if you need a consumer-rights-preserved clause.
4. Review the clause library. Work through each section. Required clauses are the backbone; recommended clauses fix specific gaps; optional clauses are situational. Don't include everything — pick what fits.
5. Configure dispute resolution. Pick a liability cap, choose arbitration or not, pick the administrator if arbitration is on, enable the opt-out and informal-resolution steps.
6. Check the enforceability scorecard. Run through each check. Anything marked 'fail' is a specific gap — add the missing clause or confirm the requirement (like 'conspicuous notice'). Target 90%+ before publishing.
7. Export the document. HTML for your hosted Terms page, Markdown or PDF for team review, JSON for version control. Save the JSON to a private repo — this is your source of truth.
8. Host at a stable URL. /terms/ or /terms-of-service/ — users will link to it. Don't move the URL without a 301 redirect.
9. Integrate the clickwrap. Every 'I agree' / sign-up / checkout button gets a visible 'By clicking X, you agree to our Terms of Service and Privacy Policy' line immediately next to it, with the Terms link hyperlinked.
10. Register your DMCA agent (if UGC). File with the US Copyright Office. The confirmation will include your agent's directory listing URL — add it to your Terms.
11. Set a review cadence. Calendar reminder every 6 months. Check when: you add a product, add AI features, enter a new market, or a major legal development lands.
12. Archive old versions. When you update, save the old version at /terms/archive/YYYY-MM-DD/. Track which users accepted which version.