Legal Disclaimer
This article is published by My Legal Pal for informational and educational purposes only. It does not constitute legal advice and does not create a solicitor-client relationship. The sample Acceptable Use Policy template is a general reference document and must not be published or relied upon without review by a qualified lawyer. AUP requirements vary by jurisdiction, platform type, and user base. Always seek professional legal advice specific to your business.
| An Acceptable Use Policy (AUP) is a legal document that sets the rules for how users are permitted to use a platform, software, website, or network. It defines what is allowed, what is prohibited, and what happens when someone breaks the rules. Any business that gives users access to its systems, whether through a SaaS product, an online marketplace, a community platform, or a corporate network, needs an AUP to protect itself legally and commercially. |
The Document Most Businesses Add Too Late
An Acceptable Use Policy sits in that uncomfortable middle ground between legal documents people have heard of (Privacy Policy, Terms of Service) and the ones nobody thinks about until something goes wrong. Most platforms add an AUP after their first serious misuse incident. The smart ones have it from launch.
The reason it matters more than founders and operators typically assume is that without an AUP, you have no contractual basis to take action when someone misuses your platform. You cannot terminate an account, block access, pursue a claim, or defend against one, if there is no agreed standard of behaviour that the user accepted when they signed up.
This is not a theoretical risk. SaaS companies have faced regulatory action because their platforms were used to send spam and they had no enforceable prohibition against it. Online marketplaces have been held liable for content that their AUP would have prohibited if it existed and if it had been enforced. Enterprises have found themselves in employment disputes over personal use of company systems because there was no AUP defining what personal use was permitted.
An AUP is also not just a defensive document. For enterprise buyers, it signals that you run a serious platform. For regulators, it demonstrates that you have thought about misuse and taken steps to prevent it. For your own team, it gives clear authority to act when something is wrong.
Sample Acceptable Use Policy Template (Reference Only)
No spam · We send one copy of your document · Reviewed by My Legal Pal lawyers Free · Optional fields can be left blank · Email required to download This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. This field is required. Fill in the fields on the left to see your document here... This document is generated for informational purposes only and does not constitute legal advice. My Legal Pal recommends all agreements be reviewed by a qualified lawyer before signing.
| Important Notice: The template below is provided by My Legal Pal for educational and reference purposes only. It is not legal advice and should not be used as a final legal document without review by a qualified lawyer. An AUP must be tailored to your platform, your user base, and the jurisdictions you operate in. My Legal Pal strongly recommends working with a qualified technology or commercial lawyer before publishing any Acceptable Use Policy. |
Who Needs an Acceptable Use Policy?
The short answer is: any business that provides access to a system, platform, or service that users can interact with. More specifically:
- SaaS companies whose customers use their platform to store data, run processes, or communicate
- Online marketplaces and e-commerce platforms where third parties list products or services
- Community platforms, forums, and social products where users generate content
- API providers who give developers programmatic access to their systems or data
- Email or communication service providers where users send messages through the platform
- Corporate IT departments managing internal network and device usage policies
- Educational institutions providing students with access to digital systems
- Cloud hosting and infrastructure providers whose services could be used to host harmful content
If your business gives someone access to something you own or operate, and they could use that access in a way that harms you, other users, or third parties, you need an AUP.
What an Acceptable Use Policy Actually Covers
A well-drafted AUP does three things: it defines what use is permitted, it lists what is explicitly prohibited, and it sets out the consequences of violations. Here is what each of those sections typically contains:
Permitted Use
This section clarifies the intended purpose of the platform and the scope of legitimate use. For a B2B SaaS product, permitted use is typically defined by reference to the user’s subscription tier and the product’s core functionality. The permitted use definition is important because it frames everything that follows: restrictions and prohibitions apply because they fall outside the scope of what the platform was designed to do.
Prohibited Conduct
This is the substantive heart of the AUP. The prohibited conduct section lists the specific behaviours that are not allowed. Categories typically covered include:
- Illegal activity: using the platform for fraud, money laundering, distribution of illegal content, or any activity that violates applicable law
- Harmful content: uploading, transmitting, or displaying content that is defamatory, harassing, threatening, discriminatory, or constitutes hate speech
- Intellectual property violations: infringing copyright, trademark, or other IP rights through content uploaded or transmitted using the platform
- Security attacks: attempting to gain unauthorised access to systems, conducting denial-of-service attacks, distributing malware, or probing for vulnerabilities
- Spam and unsolicited communications: using the platform to send bulk unsolicited messages, phishing communications, or deceptive content
- Abuse of the service: creating excessive load, scraping data in violation of the terms, sub-licensing access, or using the service in ways that degrade performance for other users
- Misrepresentation: creating false accounts, impersonating others, or providing false information to gain access
Consequences of Violation
Without this section, the AUP is a wish list rather than an enforceable policy. The consequences section gives you the contractual authority to act. Typical provisions include suspension or termination of the account, removal of specific content, reporting to law enforcement where required by law, and the right to seek damages or injunctive relief. Some AUPs also include a notice and cure provision, giving users an opportunity to remedy a breach before termination, though this is typically reserved for non-serious violations.
Reporting Mechanism
A practical but often absent element. Users and third parties need a clear way to report violations. This is particularly important for platforms hosting user-generated content, where your ability to claim safe harbour protections under frameworks like the EU Digital Services Act, Section 230 in the US, or the UK Online Safety Act partly depends on having a functioning notice and takedown process in place.
| Need an AUP drafted for your platform or product?
My Legal Pal’s technology lawyers draft Acceptable Use Policies that are enforceable, jurisdiction-compliant, and tailored to how your platform actually works. Get Your AUP Drafted at MyLegalPal.com My Legal Pal | Making Legal Simple |
AUP vs Terms of Service: Understanding the Difference
This is one of the most common questions operators ask, and the confusion is understandable because the two documents overlap. The distinction is one of scope and specificity.
Your Terms of Service is the master contract governing the entire commercial and legal relationship between your business and the user. It covers payment terms, liability, dispute resolution, intellectual property ownership, and termination rights. It is broad by design.
Your AUP is focused specifically on behaviour. It does not deal with payment or liability in general. It answers one question: what are you allowed and not allowed to do with this platform? In practice, many businesses include AUP-equivalent provisions within their Terms of Service. This works for simple platforms with limited misuse risk. For more complex platforms, particularly those with API access, user-generated content, or enterprise customers who want to see a standalone policy during procurement, a separate AUP is the better structure.
When both documents exist, the AUP is typically incorporated by reference into the Terms of Service. A user who violates the AUP is also in breach of the Terms of Service, which triggers the termination and liability provisions in that document.
| What Regulators and Courts Say About Acceptable Use Policies
• EU Digital Services Act (DSA, 2024): The DSA requires online platforms operating in the EU to maintain clear and accessible terms of service that include rules on content moderation, prohibited uses, and redress mechanisms for users. For larger platforms, this includes detailed transparency reporting and mandatory notice and action procedures. An AUP is a core component of DSA compliance for platforms with EU users. • UK Online Safety Act 2023: The Act imposes enforceable duties on UK-based platforms and platforms with UK users to prevent and remove illegal content and to protect users from certain categories of harmful content. Ofcom can issue substantial fines for non-compliance. Having a clear, enforced AUP is a fundamental part of demonstrating compliance with the Act’s user protection duties. • US Communications Decency Act Section 230: One of the most important legal frameworks for online platforms in the US, Section 230 provides immunity from liability for third-party content, but courts have consistently noted that platforms must take reasonable steps to moderate content and enforce their own policies to maintain the credibility of their Section 230 defence. An AUP that is published but never enforced provides weaker protection. • Indian IT Act 2000 and IT (Intermediary Guidelines) Rules 2021: Platforms operating in India are required to publish clear rules and regulations, privacy policies, and user agreements that prohibit specific categories of harmful or illegal content. Failure to comply can result in loss of intermediary liability protection under the IT Act. • CAN-SPAM Act (US) and EU ePrivacy Directive: Both frameworks impose obligations on platforms that enable bulk email sending. An AUP that explicitly prohibits spam and unsolicited communications, and that is enforced, is an important element of a platform’s compliance posture under both frameworks. The regulatory direction globally is toward greater platform accountability. An AUP is no longer a nice-to-have. In several jurisdictions it is now a legal requirement. |
How AUP Requirements Vary by Jurisdiction
| Jurisdiction | Key AUP-Related Legal Obligations |
| European Union | DSA requires clear terms and content moderation policies for all platforms with EU users. GDPR obligations intersect with data processing provisions in the AUP. NIS2 Directive requires acceptable use controls for essential and important entities. |
| United Kingdom | Online Safety Act 2023 mandates safety duties and enforceable terms for platforms with UK users. ICO expects AUP-aligned data handling provisions. Defamation Act 2013 creates safe harbour for operators who follow proper takedown procedures. |
| United States | No federal AUP requirement but Section 230 immunity is strengthened by active policy enforcement. CAN-SPAM compliance requires anti-spam provisions in platform policies. State laws (California, New York) impose additional content and data obligations. |
| India | IT (Intermediary Guidelines) Rules 2021 require platforms to publish rules prohibiting specific illegal and harmful content categories. Non-compliance results in loss of safe harbour under the IT Act. DPDPA 2023 intersects with data handling in the AUP. |
| Australia | Online Safety Act 2021 imposes content moderation obligations on social media services with Australian users. eSafety Commissioner can issue formal notices requiring compliance with basic online safety expectations. |
| Singapore | Electronic Transactions Act and PDPA create baseline obligations. The Online Safety (Miscellaneous Amendments) Act 2022 imposes new content regulation duties on designated social media services operating in Singapore. |
Six AUP Mistakes That Leave Platforms Exposed
- Writing prohibitions in vague language. ‘Do not use the platform for harmful purposes’ is not enforceable. A prohibition needs to be specific enough that both parties know when it has been violated.
- Not updating the AUP as the platform evolves. An AUP written for a simple SaaS product does not cover API access, mobile apps, or user-generated content that were added later. The AUP must reflect how the platform actually works today.
- Having an AUP but never enforcing it. Courts and regulators look at whether policies are actually applied. A pattern of tolerating violations you are aware of weakens your legal position and, in some jurisdictions, can reduce your safe harbour protection.
- Not including a reporting mechanism. Without a clear process for users or third parties to report violations, you lose the ability to claim you acted promptly when problems are raised.
- Treating the AUP as a purely internal document. It must be clearly visible to users, accepted at signup or login, and referenced in the Terms of Service. An AUP that users have not seen and agreed to cannot bind them.
- Copying another company’s AUP verbatim. Beyond being copyright infringement, another company’s AUP reflects their platform, their user base, and their risk profile, not yours.
| Need a properly drafted AUP for your platform?
My Legal Pal drafts Acceptable Use Policies for SaaS products, online platforms, API providers, and enterprise IT environments, enforceable and jurisdiction-specific. Get Your AUP Drafted at MyLegalPal.com | Making Legal Simple. My Legal Pal | Making Legal Simple |
Frequently Asked Questions
Q: Is an Acceptable Use Policy a legal requirement?
A: In an increasing number of jurisdictions, yes. The EU Digital Services Act, the UK Online Safety Act, and India’s IT Intermediary Guidelines all impose obligations on platforms that are substantially fulfilled through a published and enforced AUP. In the US, while there is no general federal AUP requirement, having one is a practical necessity for Section 230 liability protection and for compliance with sector-specific laws around spam, financial services, and healthcare. For enterprise B2B SaaS, customers will often require an AUP as part of their vendor due diligence.
Q: Can I combine my AUP with my Terms of Service?
A: Yes, and many businesses do, particularly at early stage when a standalone AUP would feel disproportionate to the product’s complexity. The practical question is whether users can easily find and understand the rules about what they can and cannot do. If your Terms of Service is already long and detailed, burying behavioural rules within it reduces their effectiveness and makes enforcement harder to justify. For platforms with meaningful misuse risk, user-generated content, or API access, a standalone AUP that is clearly linked from the Terms of Service is the better structure.
Q: How should users accept the AUP?
A: The same way they accept your Terms of Service: through a clear acceptance mechanism at registration, at first login, or at the point of access. This can be a checkbox, a clickthrough confirmation, or a signed agreement in a B2B context. The key principle is that you need evidence that the user saw the AUP and agreed to it before they used the platform. A link in the footer of your website that users might theoretically read is a much weaker acceptance mechanism than an explicit confirmation at signup.
Q: What happens if I have an AUP but do not enforce it?
A: Several bad things, from multiple directions. First, if you are aware of violations and consistently fail to act on them, you may be seen as having waived your right to enforce the policy in future disputes. Second, in jurisdictions where safe harbour protection (Section 230, EU DSA, IT Act India) depends on having effective content moderation, a policy that is published but ignored provides weaker protection than no policy at all because it shows awareness without action. Third, enterprise customers who discover you do not enforce your own terms lose confidence in the platform’s reliability and governance.
Q: Does my AUP need to address AI-generated content?
A: If your platform allows users to create, upload, or share AI-generated content, or if your platform itself uses AI to generate content, your AUP should address this. Key issues include prohibitions on using AI to create deepfakes, impersonations, or disinformation; restrictions on using AI-generated content in ways that infringe third-party rights; and disclosure requirements for AI-generated outputs where applicable. The EU AI Act, which began applying in stages from 2024, imposes specific transparency obligations for certain AI uses that should be reflected in platform policies.
Q: How often should I update my AUP?
A: Review it whenever you add significant new features or capabilities to your platform, whenever applicable law changes in a material way (the DSA and UK Online Safety Act have both required policy updates from most affected platforms), and at minimum once a year as a routine check. The AUP should always reflect how the platform actually works and what risks it actually presents. One that was written for a simple tool and never updated as the product grew into something more complex is a document that is no longer fit for purpose.
The AUP Is Where Your Platform Takes a Stand
Every platform operator makes choices about what kind of community and commercial environment they are creating. The Acceptable Use Policy is where those choices become legally binding commitments, both to your users and to regulators who are increasingly asking to see evidence of them.
A well-written AUP does something that most legal documents do not: it communicates clearly to users what you expect from them and what they can expect from you when things go wrong. That clarity is good for trust, good for your legal position, and good for the long-term health of your platform.
The template in this guide gives you a solid starting point for understanding what an AUP should contain. As with every document in your legal stack, the next step is to have it reviewed and tailored by a lawyer who understands your product and the markets you operate in.
| Practical note: The moment to get your AUP in place is before your first user, not after your first misuse incident. Platforms that have to draft an AUP in response to a specific problem are almost always drafting it in a reactive, narrower way than they would have done with a clear head before launch. My Legal Pal helps platforms get this right from the start. |
| Ready to get your platform legally protected?
My Legal Pal drafts the full suite of platform legal documents: AUP, Terms of Service, Privacy Policy, DPA, and more, specific to your product, jurisdiction, and risk profile. Start at MyLegalPal.com | My Legal Pal | Making Legal Simple. My Legal Pal | Making Legal Simple |
Legal Disclaimer
This article is published by My Legal Pal for informational and educational purposes only. It does not constitute legal advice and does not create a solicitor-client relationship. The sample Acceptable Use Policy template is a general reference document and must not be published or relied upon without review by a qualified lawyer. AUP requirements vary by jurisdiction, platform type, and user base. Always seek professional legal advice specific to your business.
