Mario Trujillo and Christian Romero, from the Electronic Frontier Foundation, published an analysis this week that revives an uncomfortable discussion for any SaaS: legal policies are drafted as if they were technical decisions (which clauses, which jurisdictions), when actually they're ethical decisions (what we collect, why, what we do with it, who we share it with). The article focuses on giants like Meta, Google, and Palantir, but the question also applies to small SaaS. This article lands it: what it means to think of legal policy as an ethical decision in a B2B product, and how to avoid drafting policies you wouldn't defend in an honest conversation with a client.
The problem: the legal hides the ethical
A privacy policy can be legally impeccable and ethically questionable. Some frequent patterns:
- "Implicit consent through continued use" clause that complies with the letter but the user never read
- Data sharing with "commercial partners" without a public list of who they are
- Data retention for long periods without clear operational justification
- Behavior tracking the user didn't expect when signing the ToS
None of these practices necessarily break GDPR if the documentation is there. But all are decisions that wouldn't pass the test of "if the client knew this as-is, would they still trust you?".
The five-question test
Before drafting or approving any section of your legal policy, run the content through these five questions. If you fail one, it's not just a legal problem: it's an ethical problem your SaaS needs to solve before publishing.
| Question | Implication |
|---|---|
| Would a client understand it without a lawyer? | If not, rewrite in plain language |
| Would you defend it without apologizing on a sales call? | If not, change the practice, not just the clause |
| Is it still reasonable if the client were you? | The operational Golden Rule test |
| Is there a less invasive alternative that meets the same goal? | If yes, that alternative is the ethical decision |
| Is it still justifiable within 3 years? | Ethical decisions withstand context change |
Typical cases where the technical decision hides an ethical one
1. Data retention "by default"
Common practice: retain everything you can "just in case". The ethical question: what do you gain from keeping a 4-year behavior log? If the honest answer is "nothing operational, but it might help someday", the ethical decision is to delete in 90 days.
2. "Sub-processor" list without public link
Many privacy policies say "we share data with sub-processors (list available upon request)". The ethical question: why upon request? If the practice is honest, the list is public and linked.
3. In-app tracking the user wouldn't use if they knew
Heatmaps, session replay, eye-tracking. Everything can be legal with consent, but consent must be informed, not buried on page 7 of a ToS.
4. Permissions over user content
Clauses like "you grant us perpetual and worldwide license to use your content" that apply to text the user uploads. The ethical question: do you need perpetual to operate? Almost never. A license limited to the service is enough.
The most recurring error EFF sees in large corporations is what they call "broken commitments": companies that promised to limit data use in their policy, then change the policy unilaterally to expand scope. For a small SaaS the lesson is: if you're going to publish a policy, assume you'll have to keep it. Switching gears is a public signal of low trust.
How to build a policy with explicit ethical decisions
Step 1: separate the legal from the ethical
In your internal documentation, keep two columns per clause: "legal requirement" and "our decision". Visualize where you're imposing more restrictions than legal (that's your ethical positioning) and where you're exploiting legal ambiguity (that's ethical debt).
Step 2: publish your voluntary restrictions
If you decide to retain data only 90 days even though the law allows 5 years, say it in the policy. Creates brand value and filters for clients aligned with your principles.
Step 3: review every 6 months with the question "is this still the right thing?"
Context changes (regulation, expectations, public cases). What was reasonable in 2024 may not be in 2026. Semi-annual review prevents carrying obsolete practices.
The business case for explicit ethics
Enterprise B2B audits supplier policies in ever more detail. A SaaS that shows explicit ethical decisions in its policy reduces sales friction, passes vendor risk assessments earlier, and attracts clients who value transparency. Ethics isn't a luxury of big companies, it's a competitive advantage of small ones.
"Your privacy shouldn't be a corporate decision" (title of Mario Trujillo and Christian Romero's analysis on EFF Deeplinks). Applied to the small SaaS: if your privacy decisions are pure business, the next thing you'll adjust under pressure is client trust.
Conclusion
Legal policies are where a company publishes its most intimate decisions about how it treats its people. Reducing them to a technical-legal exercise is losing the opportunity to declare who you are. For a SaaS that wants to build sustained trust with B2B clients, the legal policy is a brand asset as much as a compliance shield.
If you want to centralize Privacy Policy, ToS, Cookie Policy, and AUP with visible version history (so public commitments aren't silently broken) in a single dashboard, Termerly is free and supports the four main jurisdictions.
