Requirements and best practice for legal information on your website
First published on the miggle blog 12/9/16 — written by Adam Browne
Basic questions
Do I need to read this?
This post refers to all UK business websites (both B2B and B2C). Personal websites are generally exempt from these requirements.
What are the potential ramifications?
Failure to comply with consumer protection regulations could result in action being taken by consumer protection bodies, regulators (in the UK, the Information Commissioner’s Office), or by customers themselves. It could also result in damage to a business’s reputation.
In practice the initial response is unlikely to be anything more than a letter asking you to correct the situation. But providing required information in a prominent place can provide reassurance to your audience.
How could Brexit affect this area?
EU directives have been enabled in the UK by various Regulations. If the UK leaves the EU, legislation may be re-examined — but in the short to medium term, things are unlikely to change.
What you need to tell users
Who you are
Every operator of a business website must publish basic identifying information:
- name
- geographical address
- contact details (both email and non-electronic)
- details of any relevant supervisory authority
- VAT number, if registered
This information does not need to be on every page, but it must be clear and easily accessible. Links from a website page footer to specific pages are generally acceptable.
Specific types of websites will require additional details:
- Limited companies must show the company registration information: usually the registered number, registered address and any trading names
- Members of regulated professions must show the professional body and regulations
- Websites where goods and services are sold online must provide details of the contracts, Terms and Conditions for the contracts, and Delivery and Returns Policy
What personal data you collect
Website users have a right to know what information you are collecting on them, and to refuse to give you that information. Some of this information will be obvious, such as user registration fields. However, some can be collected without the user knowing — for example hidden form fields, cookies, and local storage in Flash or HTML5.
EU cookie law
All websites owned in the EU, or targeted towards EU citizens, are expected to comply with the “Cookie law” (which applies to all local storage methods, not just cookies). This should:
- Tell the user that you will be storing cookies
- Get their agreement (opt-out is assumed to be acceptable) or provide instructions on how to refuse
- Provide more information about the cookies (see Cookies policy)
What you do with that personal data
Privacy policy
The Data Protection Act 1998 specifies that if a business collects and uses data that relates to an identifiable living person, it must give that person information including:
- The business which owns the website
- What personal data the business will collect
- What use will be made of that data
That person also has the right of access to the data, and the right to have it corrected. Instructions on how to go about this should also be included in the privacy policy.
Cookies policy
This can be treated as a subsidiary of the privacy policy. It should include:
- A list of the cookies collected
- Who issues these cookies and how they will be used
- Information on how to block or delete cookies
For general information about cookies, you could link to http://www.aboutcookies.org.
About online purchases
Terms and conditions — commercial
Policies for Terms and Conditions, and Delivery and Returns, are required as part of the Consumer Protection (Distance Selling) Regulations and Electronic Commerce Regulations (EC Directive). These terms must state:
- The identity and postal address of the supplier
- A description of the service
- The contract price, inclusive of taxes (including VAT information if applicable)
- Delivery costs (if applicable)
- Payment and delivery arrangements
- Notification of the right of cancellation
- The cost of the means of communication by which the contract is to be concluded (eg premium rate telephone numbers)
- The period for which the terms are available
- Minimum duration of the contract, where it is not of one-off performance
PCI DSS
If you store, process, or transmit cardholder data on your servers, you will be subject to Payment Card Industry Data Security Standard requirements. These are onerous, so in most cases we recommend outsourcing payment gateways to external suppliers.
Other legal requirements
Access
The Equality Act (2010) advises that a website must satisfy Priority 1 (Level A), and should satisfy Priority 2 (Level AA), of the W3C Web Content Accessibility Guidelines. Priority 3 (Level AAA) is not generally considered to be relevant.
While these guidelines are generally met during the website design and development process, they also need to be considered when content is added. For example, images added to the site should have the ALT attribute added to provide alternate text for screen readers.
Copyright and trademarks
All original work is copyrighted by default, so there is no legal requirement to put a © notice on your website. Likewise, there is no requirement to display ™ or ® symbols, though you may wish to do so in order to notify users of your intellectual property.
Depending on the sources of your content, you may need or want to supply copyright information and credits — eg for images or graphics.
Terms and conditions — general
A general T&Cs page (as opposed to the commercial version discussed above) can be used to gather together various legal notices such as legal disclosure, usage, copyright, disclaimers, etc.
Digital decisions are never a walk in the park, so let me help you find the right way through the technical landscape.
