fbpx

What are the legal requirements for a website?

10th January

In this guide, we look at what you must do to make sure your website complies with the law, as well as some additional best practices for website owners.

Part 1 – What you MUST do

Display a valid Cookie Notice

What the law says:

Under EU wide legislation, all websites that are owned within the EU or are aimed at customers in the EU are required to comply with the Cookie Law. This is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. The intention of the law was to help protect online privacy by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

Cookies were first regulated under an EU Directive that was adopted by all EU countries in May 2011. The directive gave individuals the right to refuse the use of cookies that reduce their online privacy. Since that time, each country has updated its own laws to comply. In the UK this meant an update to the Privacy and Electronic Communications Regulations (PECR), which sit alongside the Data Protection Act and the GDPR to give people specific privacy rights in relation to electronic communications.

What you need to do

According to the UK Information Commissioner’s Office (ICO), your website must contain a cookie banner that:

  • tells people the cookies are there;
  • explains what the cookies are doing and why; and
  • gives people the right to refuse certain cookies
  • gets the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website.

Why it matters

Failure to comply leaves you at risk of enforcement action from the ICO, which in exceptional cases may lead to a fine. Such action is not, however, the only risk to your business. Evidence indicates that consumers tend to avoid engaging with websites where they believe their privacy is at risk. There is also a generally low level of trust concerning web tracking by the use of cookies.


Satisfy the GDPR rules

What the law says

The General Data Protection Regulation (GDPR) which came into force on May 25th, 2018 was one of the most significant legislative changes affecting online businesses and has many implications for your website. Like the PECR, the law is enforced by the ICO. Put simply, GDPR governs how a business can collect, store and share personal data.

As well as transforming the rights of individuals, the act also has a huge effect on businesses who fail to comply – fines of up to 4% annual global turnover or 20 million Euros, whichever is higher. In addition, there is the risk of adverse publicity having a severe impact on your business. So what does your website have to do in order to comply with GDPR? Here’s a breakdown.

What you need to do

Obtaining data: Ensure methods of obtaining consent are up to date

The first part of GDPR compliance concerns how your business collects personal data, and this includes any information collected through your website or supplied to your website via other sources.

1. Obtain explicit user consent

You must ensure that any process your website uses to obtain consent to collect personal data is specific, informed, freely given and an absolutely clear indication of the individual’s wishes. The individual must be able to give consent by means of a simple and affirmative action on their part. It is not acceptable to assume consent has been given – so make sure you do not use pre-filled checkboxes

2. Provide granular opt-in for sign-ups

You must make sure that any request for a customer to opt-in includes a prominently displayed box that the customer must choose to click to opt-in, directly beside clear information explaining what they would be agreeing to and why. In the example of a mailing list, you should make sure that the customer has the opportunity to choose each channel they agree to be contacted by e.g. by email, telephone, SMS, etc.

You should also ensure that any customer contact forms include an explicit GDPR statement that the customer has to acknowledge.

3. Provide a Privacy Policy

You must ensure that you have a clear and easily accessible privacy policy page that explains how your organization collects, stores and shares data. This is usually best linked to site-wide from the footer.

Storing data: Make sure customer data is safe

As well as regulating how you collect data from customers, the GDPR also sets out strict rules on the measures you must take to protect this data. There is a requirement to take proactive action to prevent data breaches, which includes when data gets lost, stolen, hacked, destroyed, altered, inappropriately accessed or published without permission. In the event of a breach, there are also reporting requirements.

1. Install and configure an SSL Certificate

Make sure that you have a correctly set up SSL certificate on your website and that the site is set up to use the https connection, An SSL certificate provides security for online communications by enabling an encrypted connection, meaning that third parties cannot intercept the connection and access private data. Good quality SSL certificates require your organization to be authenticated by a trusted issuing authority.

Good to know:

In addition to GDPR compliance, an SSL certificate is also now essential to maintaining your SEO as Google will penalize sites that do not have a correctly configured SSL certificate.

2. Make sure you have a secure server environment

It is essential that your website server(s) meet minimum security requirements. This means that, at a minimum, you need to ensure that your server offers a certain level of protection from hackers.

Use secure passwords

One of the most fundamental rules is to ensure that secure passwords are mandatory and that a suitable standard of data encryption is used.

Set up a firewall

You should also ensure that you have a firewall in place that restricts access to the server, helping to prevent attacks by hackers.

Keep records

Be aware that the GDPR also covers the sharing of data, so it is pertinent to maintain records of any party which has access to your server(s) and documentation in place concerning security procedures.


Display website terms and conditions

What the law says

Any business with an online presence – even if it is not actually selling goods or services on its website – is required to provide users with certain information in order to abide by the Electronic Commerce Regulations. This includes full company details as well as a statement outlining the rights of the consumer in relation to their interactions with your business. A website terms and conditions page is often the best place to include such information.

What you need to do

Set up a clear and easy to access terms and conditions page that includes the following minimum requirements:

  • Explanation of the technical steps involved in placing an order.
  • State the terms and conditions under which a contract is made, including the applicable jurisdiction. This information must be available to the consumer in a way that can be reproduced and stored.
  • Provide the name of the service provider, its email address (a contact form is not sufficient) and a geographic address.
  • Provide acknowledgement of orders by electronic means and information on how to amend input errors made during the order process.
  • If it is a company, provide the company’s registration number and place of registration.
  • Provide membership details, including the registration number of any trade or professional association of which the service provider is a member.

As a rule, the best place to provide the majority of this information is on a clear and easily accessed Terms & Conditions page.


Display your company name correctly

What the law says

It is worth noting that alongside the Electronic Commerce Regulations, website owners must also be aware of the other various regulations governing business names which apply to:

  • individuals who trade under a name that is not their own
  • partnerships that do not operate under the names of the individual partners
  • companies / limited liability partnerships

Both the general laws on business names and the Electronic Commerce (EC Directive) Regulations 2002 require that certain information is made clearly available on a website.

What you need to do

If you are a company

If you are a registered company, you must provide the following on your website:

  • the part of the United Kingdom in which the company is registered
  • the company’s registered number
  • the address of the company’s registered office
  • that they are a limited company (for companies exempt from the obligation to use the word ‘limited’)
  • that they are a limited company (for community interest companies that are not public companies)
  • that they are an investment company (where appropriate)
  • if you have a VAT number, it should be stated – even if your website is not being used for e-commerce transactions

Whatever the structure of your company it is important to note that it is not sufficient to include a ‘contact us’ form without also providing an email address and geographic address.

If you are a sole trader or partnership

Sole traders and partnerships that are not registered companies are required to display and disclose detailed information about their businesses when they use a business name that is not their surname (with or without forenames or initials), or one that uses the names of all the partners. This is true of both business stationery and your website.

Where a sole trader or partnership carries on business under a name that is not that of the proprietor or partners their details must be fully disclosed to customers and suppliers in order to make it clear who they are doing business with.

Your website and any communications you send from it must include

  • the full name of the proprietor or all of the partners
  • an address at which the business can be contacted and have legal documents formally served on it

Make sure your advertising and marketing is legal

What the law says

Alongside everything else, it is worth mentioning that if you are selling goods or services, you also have a duty to comply with the various laws in place to protect consumers. This includes The Consumer Protection from Unfair Trading Regulations which outlaws misleading practices such as false or deceptive messages, or leaving out important information.

What you need to do

Check your product descriptions are accurate

You must provide consumers with goods or services that are as described, fit for purpose, and of satisfactory quality. This means that it is vital to review your product descriptions for accuracy.

Check that your prices are correctly displayed

You must display clear prices and state whether tax or shipping costs are included. All hidden costs must be included in the final price or made clear on any advertising materials. Providing misleading information on the pricing of goods or services is a criminal offence.

Provide written order confirmations

Written confirmation must be provided to the consumer when purchasing an item. If you run an eCommerce store, make sure that your automatic emails are correctly configured. You should check that the system automatically generates and sends the documents as required, and make sure that the content is correct.

You may also find it a good idea to make sure that your terms and conditions page reflects this.

A note for specialist websites

Certain specialist websites such as those in the finance sector, as well as sites that feature gambling, alcohol or adult entertainment are also subject to additional industry-specific regulations. Websites that are primarily intended for use by children are also becoming increasingly scrutinised. If you operate a website that may belong to a regulated sector, it is recommended to seek specialist legal advice in what you must do to comply with the law.


Part 2 – Best Practices: What you SHOULD do

Review your website accessibility

What the law says

Under current laws, only public sector websites are subject to accessibility regulation, as set out under the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018.

It should be noted, however, that all UK businesses remain subject to the Equality Act 2010, which imposes a legal obligation to make reasonable adjustments to accommodate the disabled when needed.

What you should do

At the moment, there is a largely discretionary approach as far as websites are concerned. As a rule, good judgement is encouraged. If you expect your website to serve specific groups of people with identified needs, then providing accessibility features to accommodate such customers would be reasonable.

For example, if you are providing an educational site that is relevant to people with impaired vision, you should consider adding accessibility features such as a high contrast option or the ability to make text larger.

Good to know:

The government has plans to monitor progress in public sector websites from January 2020, and whilst there are currently no announcements of wider plans, it is reasonable to assume that accessibility requirements may be extended to private businesses in the coming years.

In the meantime, it is advised that you consider carefully the needs of your expected visitors and do your best to acknowledge any difficulties they may encounter in using your website.


Make sure you use intellectual property properly

What the law says

Intellectual property law protects the ownership of trademarks, images and content that appear on your website. Permission is required to use any content that belongs to a third party.

What you should do

Make sure that any images, logos or trademarks you feature on your website are correctly licensed. Provided you have sourced images from a reputable stock image site and use them in accordance with the correct commercial use licensing agreement, then this is not something you should have to be worried about.

If you use third party images from other sources, ensure that you have permission. Most manufacturers provide product images and logos that are freely usable by their stockists but do be sure to check.

Protect your own intellectual property

It is also important to protect your own intellectual property by displaying a correct copyright notice as well as displaying any registered trademarks correctly, including the ® symbol. Failing to do this may mean that you are unable to take action if your intellectual property rights are violated.

hello@influxdigital.com
0161 468 2612

WeWork No.1, Spinningfields
Quay Street, Manchester M3 3JE